Trend Micro Apex One Solution
Solution: Trend Micro Apex One
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.3 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-07-06 |
| Last Updated | 2022-03-24 |
| Solution Folder | Trend Micro Apex One |
| Marketplace | Azure Marketplace · Popularity: 🟡 Low (30%) |
| Pre-requisites | Common Event Format |
The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.
This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| Common Event Format |
Data Connectors
This solution has 2 discovered data connector(s)⚠️ (not in Solution definition):
Connectors from dependency solutions:
- Common Event Format (CEF) (dependency on Common Event Format)
- Common Event Format (CEF) via AMA (dependency on Common Event Format)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
CommonSecurityLog |
Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] Trend Micro Apex One via AMA, [Deprecated] Trend Micro Apex One via Legacy Agent | Analytics, Hunting, Workbooks |
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| ApexOne - Attack Discovery Detection | High | InitialAccess | CommonSecurityLog |
| ApexOne - C&C callback events | High | CommandAndControl | CommonSecurityLog |
| ApexOne - Commands in Url | High | InitialAccess | CommonSecurityLog |
| ApexOne - Device access permissions was changed | Medium | PrivilegeEscalation | CommonSecurityLog |
| ApexOne - Inbound remote access connection | High | LateralMovement | CommonSecurityLog |
| ApexOne - Multiple deny or terminate actions on single IP | High | InitialAccess | CommonSecurityLog |
| ApexOne - Possible exploit or execute operation | High | PrivilegeEscalation, Persistence | CommonSecurityLog |
| ApexOne - Spyware with failed response | High | InitialAccess | CommonSecurityLog |
| ApexOne - Suspicious commandline arguments | High | Execution | CommonSecurityLog |
| ApexOne - Suspicious connections | High | CommandAndControl | CommonSecurityLog |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| ApexOne - Behavior monitoring actions by files | Execution | CommonSecurityLog |
| ApexOne - Behavior monitoring event types by users | Privilege Escalation, Persistence | CommonSecurityLog |
| ApexOne - Behavior monitoring operations by users | Execution | CommonSecurityLog |
| ApexOne - Behavior monitoring triggered policy by command line | Execution | CommonSecurityLog |
| ApexOne - Channel type by users | CommandandControl | CommonSecurityLog |
| ApexOne - Data loss prevention action by IP | Collection | CommonSecurityLog |
| ApexOne - Rare application protocols by Ip address | InitialAccess | CommonSecurityLog |
| ApexOne - Spyware detection | Execution | CommonSecurityLog |
| ApexOne - Suspicious files events | Execution | CommonSecurityLog |
| ApexOne - Top sources with alerts | Execution, InitialAccess, PrivilegeEscalation, DefenseEvasion, CommandAndControl, Exfiltration | CommonSecurityLog |
Workbooks
| Name | Tables Used |
|---|---|
| TrendMicroApexOne | CommonSecurityLog |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| TMApexOneEvent | - | CommonSecurityLog (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.3 | 13-12-2024 | Removed Deprecated Data Connectors |
| 3.0.2 | 12-07-2024 | Deprecated Data Connector |
| 3.0.1 | 25-10-2023 | Hunting Query column corrected |
| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA Data connector |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊