Decoders and Rules for Trend Micro Apex One - SaaS (Apex Central)
440 views
Skip to first unread message
Daniel Lima
Feb 18, 2022, 4:46:32 PM2/18/22
to Wazuh mailing list
Hi Everyone,
Does someone have an example of Decoders and rules for Trend Micro Apex One/Apex Central?
Does someone have an example of Decoders and rules for Trend Micro Apex One/Apex Central?
Thanks
Daniel Lima
Feb 18, 2022, 5:07:42 PM2/18/22
to Wazuh mailing list
These are the log examples:
Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\
Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-1BB9-127A rt=Feb 18 2022 21:51:42 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1669 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\
Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-1BB9-127A rt=Feb 18 2022 21:51:42 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1669 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\
John Soliani
Feb 19, 2022, 9:54:35 AM2/19/22
to Wazuh mailing list
Hi Dan!
Thanks for posting in our community!
Using the logtest tool (`/var/ossec/bin/wazuh-logtest`, if available, use `/var/ossec/bin/wazuh-logtest-legacy`) we can see the log isn't matching any decoders by default.
```
**Phase 1: Completed pre-decoding.
full event: 'Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\'
timestamp: 'Feb 18 18:55:22'
hostname: 'amlfmp.manage.trendmicro.com'
program_name: 'CEF'
**Phase 2: Completed decoding.
No decoder matched.
full event: 'Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\'
timestamp: 'Feb 18 18:55:22'
hostname: 'amlfmp.manage.trendmicro.com'
program_name: 'CEF'
**Phase 2: Completed decoding.
No decoder matched.
```
So we'll need to create them. We can see the pre-decoder stage detected it as a CEF `program_name`, we'll use that. Create the file `/var/ossec/etc/decoders/001-Trend-Micro.xml` and put this inside:
```
<decoder name="trend-micro">
<program_name>CEF</program_name>
<prematch>^\d+|Trend Micro|\.+|\d+|\w+|\.+|\d|</prematch>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>devicePayloadId=(\S+)</regex>
<order>devicePayloadId</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>rt=(\w+ \d+ \d+ \d+:\d+:\d+ \w++\d+:\d+) </regex>
<order>rt</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>dvchost=(\S+)</regex>
<order>dvchost</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>src=(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>dst=(\d+.\d+.\d+.\d+)</regex>
<order>dstip</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>cs1=(\.+) cnt=</regex>
<order>cs1</order>
</decoder>
<program_name>CEF</program_name>
<prematch>^\d+|Trend Micro|\.+|\d+|\w+|\.+|\d|</prematch>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>devicePayloadId=(\S+)</regex>
<order>devicePayloadId</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>rt=(\w+ \d+ \d+ \d+:\d+:\d+ \w++\d+:\d+) </regex>
<order>rt</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>dvchost=(\S+)</regex>
<order>dvchost</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>src=(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>dst=(\d+.\d+.\d+.\d+)</regex>
<order>dstip</order>
</decoder>
<decoder name="trend-micro_child">
<parent>trend-micro</parent>
<regex>cs1=(\.+) cnt=</regex>
<order>cs1</order>
</decoder>
```
You can extract more data from the log if you need to by adding blocks like the lasts I've created. Then you'll need some rules to show alerts in the UI, let's create a new file `...etc/rules/001-Trend-Micro.xml` with this inside:
```
```
<group name="custom-rules,">
<rule id="202202" level="0">
<decoded_as>trend-micro</decoded_as>
<description>Trend Micro Log detected.</description>
<group>trend-micro,</group>
</rule>
<rule id="202203" level="5">
<if_sid>202202</if_sid>
<dstip>192.168.100.11</dstip>
<description>Trend Micro Log: The dstip is $(dstip).</description>
<group>trend-micro,</group>
</rule>
<rule id="202202" level="0">
<decoded_as>trend-micro</decoded_as>
<description>Trend Micro Log detected.</description>
<group>trend-micro,</group>
</rule>
<rule id="202203" level="5">
<if_sid>202202</if_sid>
<dstip>192.168.100.11</dstip>
<description>Trend Micro Log: The dstip is $(dstip).</description>
<group>trend-micro,</group>
</rule>
</group>
```
Logtest (if available, use `/var/ossec/bin/wazuh-logtest-legacy`) tool results:
```
**Phase 1: Completed pre-decoding.
full event: 'Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\'
timestamp: 'Feb 18 18:55:22'
hostname: 'amlfmp.manage.trendmicro.com'
program_name: 'CEF'
log: '0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\'
**Phase 2: Completed decoding.
decoder: 'trend-micro'
devicePayloadId: '54003A0D3FBA-A9D211EC-9105-3FBE-529C'
rt: 'Feb 18 2022 21:52:11 GMT+00:00'
dvchost: 'CU-12707-2'
srcip: '8.241.239.254'
dstip: '192.168.100.11'
cs1: '1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105)'
**Phase 3: Completed filtering (rules).
Rule id: '202203'
Level: '5'
Description: 'Trend Micro Log: The dstip is 192.168.100.11.'
**Alert to be generated.
full event: 'Feb 18 18:55:22 amlfmp.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\'
timestamp: 'Feb 18 18:55:22'
hostname: 'amlfmp.manage.trendmicro.com'
program_name: 'CEF'
log: '0|Trend Micro|Apex Central|2019|Log|Intrusion Prevention|3|devicePayloadId=54003A0D3FBA-A9D211EC-9105-3FBE-529C rt=Feb 18 2022 21:52:11 GMT+00:00 dvchost=CU-12707-2 deviceFacility=Apex One src=8.241.239.254 TMCMLogDetectedIP=8.241.239.254 TMCMLogDetectedHost=CTBCPWN048 dst=192.168.100.11 smac=F4:1D:6B:1F:AA:4A spt=80 dmac=FC:01:7C:B3:84:33 dpt=1711 cn2Label=Mode cn2=1 act=Log deviceDirection=Inbound cn3Label=Priority cn3=1 cn4Label=Severity cn4=1 proto=10003 cs2Label=Application_Type cs2=Web Client Common cn1Label=Rule cn1=1011091 cs1Label=Reason/Rule cs1=1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105) cnt=1 ApexCentralHost=Apex Central as a Service deviceNtDomain=COMPWIRE dntdom=Compwire\\'
**Phase 2: Completed decoding.
decoder: 'trend-micro'
devicePayloadId: '54003A0D3FBA-A9D211EC-9105-3FBE-529C'
rt: 'Feb 18 2022 21:52:11 GMT+00:00'
dvchost: 'CU-12707-2'
srcip: '8.241.239.254'
dstip: '192.168.100.11'
cs1: '1011091 - Identified Download Of Executable File Over HTTP (ATT&CK T1105)'
**Phase 3: Completed filtering (rules).
Rule id: '202203'
Level: '5'
Description: 'Trend Micro Log: The dstip is 192.168.100.11.'
**Alert to be generated.
```
Bear in mind that in order to apply these changes, you'll need to restart the manager/s with `systemctl restart wazuh-manager` | `service wazuh-manager restart`.
Hope this helps,
John.-
Reply all
Reply to author
Forward
0 new messages