Trend Vision one Decoders
6 views
Skip to first unread message
perps grace
Feb 20, 2026, 7:42:33 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Hello,
I have integrated Trend Vision One with Wazuh using syslog connection, Im however having troubles creating decoders and rules for the following logs
2026-02-15T10:27:27+00:00 tpi-external-sg.xdr.trendmicro.com CEF: 0|Trend Micro|Trend Vision One|1.0.0|900002|Trend Vision One Observed Attack Technique|5|rt=Feb 14 2026 19:27:27 act= app= cat=Suspicious WebDav Client Copying Powershell Script cs1=TA0008 cs2=T1570 dpt= dst= msg=Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of lateral movement or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397. spt= src= dhost= shost= dvchost=PIC04033 request= cs1Label=MITRE Tactics IDs cs2Label=MITRE Technique IDs externalId=TELEMETRY_PROCESS deviceFacility=Endpoint Sensor deviceDirection= deviceExternalId=3d11151c-4c58-4596-ac02-9e8ae60ab7ba deviceProcessName=C:\\Windows\\System32\\svchost.exe TrendMicroV1CompanyID=0fc326ce-65bb-4f1c-947f-8978d9b525b8
I have integrated Trend Vision One with Wazuh using syslog connection, Im however having troubles creating decoders and rules for the following logs
2026-02-15T10:27:27+00:00 tpi-external-sg.xdr.trendmicro.com CEF: 0|Trend Micro|Trend Vision One|1.0.0|900002|Trend Vision One Observed Attack Technique|5|rt=Feb 14 2026 19:27:27 act= app= cat=Suspicious WebDav Client Copying Powershell Script cs1=TA0008 cs2=T1570 dpt= dst= msg=Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of lateral movement or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397. spt= src= dhost= shost= dvchost=PIC04033 request= cs1Label=MITRE Tactics IDs cs2Label=MITRE Technique IDs externalId=TELEMETRY_PROCESS deviceFacility=Endpoint Sensor deviceDirection= deviceExternalId=3d11151c-4c58-4596-ac02-9e8ae60ab7ba deviceProcessName=C:\\Windows\\System32\\svchost.exe TrendMicroV1CompanyID=0fc326ce-65bb-4f1c-947f-8978d9b525b8
and
2026-02-15T18:22:23+00:00 tpi-external-sg.xdr.trendmicro.com CEF: 0|Trend Micro|Trend Vision One|1.0.0|900004|Trend Vision One System Audit Log|2|rt=Feb 15 2026 21:19:05 cat=Cloud Accounts cn1=1771179545 cs1=Update AWS account state msg={'Account ID': '313994315839', 'Role ARN': 'arn:aws:events:ap-southeast-1:06:event-bus/service-eventbridge-ap-southeast-1-prod', 'Account Alias': 'AWS-DR-Account', 'Created': '2025-07-17T09:58:40Z', 'Features': ['cloud-sentry', 'file-storage-security', 'real-time-posture-monitoring', 'data-security-posture-management'], 'Last Modified': '2026-02-14T18:14:57Z', 'State': 'outdated', 'Error': '204'} cn1Label=Timestamp cs1Label=Activity TrendMicroV1CompanyID=0fc326ce-65bb-4f1c-947f-8978d9b525b8
kindly help me out.
Regards,
Perps Kamii
Regards,
Perps Kamii
Olamilekan Abdullateef Ajani
Feb 20, 2026, 9:25:31 AM (4 days ago) Feb 20
to Wazuh | Mailing List
Hello Perps,
I have created a sample decoder and matching rule for you below. Feel free to modify this at will to meet your requirements. You can also refer to the documentation on writing and modifying custom decoders and rules.
Decoder in /var/ossec/etc/decoders/local_decoder.xml
<decoder name="Trendvision">
<program_name>CEF</program_name>
<prematch>\|Trend Micro\|Trend Vision One\|</prematch>
</decoder>
<decoder name="trendmicro-child">
<parent>Trendvision</parent>
<prematch>Trend Vision One Observed Attack Technique</prematch>
<regex type="pcre2">^\d+\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|.*?rt=([^=]*?)(?=\s+\w+=).*?cat=([^=]*?)(?=\s+\w+=).*?cs1=([^=]*?)(?=\s+\w+=).*?cs2=([^=]*?)(?=\s+\w+=).*?dpt=([^=]*?)(?=\s+\w+=).*?dst=([^=]*?)(?=\s+\w+=).*?msg=(.*?)(?=\s+\w+=).*?dvchost=([^=]*?)(?=\s+\w+=).*?externalId=([^=]*?)(?=\s+\w+=).*?deviceFacility=([^=]*?)(?=\s+\w+=).*?deviceExternalId=([^=]*?)(?=\s+\w+=).*?deviceProcessName=([^=]*?)(?=\s+\w+=|$)</regex>
<order>vendor,product,version,eventid,eventname,severity,rt,category,mitre_tactic,mitre_technique,dstport,dstip,message,dvchost,externalId,deviceFacility,deviceExternalId,processImage</order>
</decoder>
<decoder name="trendmicro-audit-child">
<parent>Trendvision</parent>
<prematch>Trend Vision One System Audit Log</prematch>
<regex type="pcre2">^\d+\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|.*?rt=([^=]*?)(?=\s+\w+=).*?cat=([^=]*?)(?=\s+\w+=).*?cn1=([^=]*?)(?=\s+\w+=).*?cs1=([^=]*?)(?=\s+\w+=).*?msg=(.*?)(?=\s+\w+Label=|$)</regex>
<order>vendor,product,version,eventid,eventname,severity,rt,category,timestamp,activity,message</order>
</decoder>
<prematch>\|Trend Micro\|Trend Vision One\|</prematch>
</decoder>
<decoder name="trendmicro-child">
<parent>Trendvision</parent>
<prematch>Trend Vision One Observed Attack Technique</prematch>
<regex type="pcre2">^\d+\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|.*?rt=([^=]*?)(?=\s+\w+=).*?cat=([^=]*?)(?=\s+\w+=).*?cs1=([^=]*?)(?=\s+\w+=).*?cs2=([^=]*?)(?=\s+\w+=).*?dpt=([^=]*?)(?=\s+\w+=).*?dst=([^=]*?)(?=\s+\w+=).*?msg=(.*?)(?=\s+\w+=).*?dvchost=([^=]*?)(?=\s+\w+=).*?externalId=([^=]*?)(?=\s+\w+=).*?deviceFacility=([^=]*?)(?=\s+\w+=).*?deviceExternalId=([^=]*?)(?=\s+\w+=).*?deviceProcessName=([^=]*?)(?=\s+\w+=|$)</regex>
<order>vendor,product,version,eventid,eventname,severity,rt,category,mitre_tactic,mitre_technique,dstport,dstip,message,dvchost,externalId,deviceFacility,deviceExternalId,processImage</order>
</decoder>
<decoder name="trendmicro-audit-child">
<parent>Trendvision</parent>
<prematch>Trend Vision One System Audit Log</prematch>
<regex type="pcre2">^\d+\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|([^|]+)\|.*?rt=([^=]*?)(?=\s+\w+=).*?cat=([^=]*?)(?=\s+\w+=).*?cn1=([^=]*?)(?=\s+\w+=).*?cs1=([^=]*?)(?=\s+\w+=).*?msg=(.*?)(?=\s+\w+Label=|$)</regex>
<order>vendor,product,version,eventid,eventname,severity,rt,category,timestamp,activity,message</order>
</decoder>
And rules in /var/ossec/etc/rules/local_rules.xml
<group name="trendmicro,trendvisionone,">
<rule id="158877" level="3">
<decoded_as>trendmicro-v1-parent</decoded_as>
<description>Trend Vision One Event</description>
</rule>
<rule id="158878" level="8">
<if_sid>158877</if_sid>
<match>Trend Vision One Observed Attack Technique</match>
<description>Trend Vision One – Observed Attack Technique</description>
<group>trendmicro,attack_technique,</group>
</rule>
<rule id="158879" level="5">
<if_sid>158877</if_sid>
<match>Trend Vision One System Audit Log</match>
<description>Trend Vision One – System Audit Log</description>
<group>trendmicro,audit,</group>
</rule>
</group>
<rule id="158877" level="3">
<decoded_as>trendmicro-v1-parent</decoded_as>
<description>Trend Vision One Event</description>
</rule>
<rule id="158878" level="8">
<if_sid>158877</if_sid>
<match>Trend Vision One Observed Attack Technique</match>
<description>Trend Vision One – Observed Attack Technique</description>
<group>trendmicro,attack_technique,</group>
</rule>
<rule id="158879" level="5">
<if_sid>158877</if_sid>
<match>Trend Vision One System Audit Log</match>
<description>Trend Vision One – System Audit Log</description>
<group>trendmicro,audit,</group>
</rule>
</group>
Ref:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/pcre2.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/pcre2.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Reply all
Reply to author
Forward
0 new messages