Collect Trend Micro Vision One Activity logs

Supported in:

This document explains how to ingest Trend Micro Vision One Activity logs to Google Security Operations using AWS S3. The parser transforms Trend Micro Vision One Activity logs from JSON format into a Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to Trend Micro Vision One.

Configure Logging on Trend Micro Vision One

  1. Sign in to the Trend Micro Vision One console.
  2. Go to Workflow and Automation > Third-Party Integration.
  3. Click Google Security Operations SIEM.
  4. Under Access key, click Generate key.
  5. Copy and Save the access key ID and secret access key.
  6. Under Data transfer, enable the toggle next to Activity Data.
  7. An S3 URI is generated and the data begins to be sent to the corresponding S3 bucket.
  8. Copy and save the S3 URI in a safe location.
  9. (Optional): For Events and Activity data, click Edit to modify the scope of the data (Modifying the scope does not change the generated S3 URI).

Configure a feed in Google SecOps to ingest Trend Micro Vision One Activity logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Trend Micro Vision One Activity Logs).
  4. Select Amazon S3 as the Source type.
  5. Select Trend Micro Vision One Activity as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • Region: The region where the Amazon S3 bucket is located.
    • S3 URI: The bucket URI (the format should be: s3://log-bucket-name/). Replace the following:
      • log-bucket-name: the name of the bucket.
    • URI is a: Select Directory or Directory which includes subdirectories, .
    • Source deletion options: Select Never delete files. Data in the S3 bucket is retained for 7 days before being purged.
    • Access Key ID: User access key with access to the S3 bucket.
    • Secret Access Key: User secret key with access to the S3 bucket.
    • Asset namespace: The asset namespace.
    • Ingestion labels: The label to be applied to the events from this feed.
  8. Click Next.
  9. Review your new feed configuration in the Finalize screen, and then click Submit.

Need more help? Get answers from Community members and Google SecOps professionals.