Views:

Configure the integration to enable Trend Vision One to share data with Google Security Operations (Google SecOps) SIEM for enhanced security telemetry analysis.

Trend Vision One pushes alerts, event data, container vulnerabilities, activity data, and audit logs to AWS S3 buckets managed by Trend Micro. Google SecOps retrieves this data using data feeds approximately every 15 minutes. Unretrieved data in the S3 buckets is retained for 7 days before being purged.
You can create multiple feeds in Google SecOps and configure the data obtained using the feeds individually.
Important
Important
The following instructions and screen captures were valid as of April 7, 2024. For further help, check your Google SecOps documentation.

Procedure

  1. In the Trend Vision One console, generate the access key and specify the data to send to Google SecOps.
    1. Go to Workflow and AutomationThird-Party Integration.
    2. In the Integration column, click Google Security Operations SIEM.
    3. Under Access key, click Generate key to generate the access key ID and secret access key used for data feed configuration in Google SecOps.
    4. Under Data transfer, enable the toggle next to the data you want to send to S3 buckets.
      Note
      Note
      Sending activity data to an S3 bucket requires Trend Vision One credits. Configure the data allowance for transferring activity data and manage credit allocation in the Credits & Billing app.
      For information on the data format and requirements, see Data specification for AWS S3 buckets.
      Important
      Important
      Data in S3 buckets is retained for 7 days before being purged. Ensure your Google SecOps feeds are properly configured to ingest data from Trend Vision One.
      Whenever a data transfer is enabled, an S3 URI is generated and the data begins to be sent to the corresponding S3 bucket. Copy and store the S3 URI in a safe location.
    5. For Events and Activity data, click Edit to modify the scope of the data.
      Modifying the scope does not change the generated S3 URI.
    6. To stop sending a type of data to Google SecOps, disable the toggle next to the data.
      Re-enabling the data transfer generates a new S3 URI. You need to configure a new feed in Google SecOps.
  2. In Google SecOps, configure SIEM settings by creating feeds to pull data from AWS S3 buckets.
    1. From the Google SecOps menu, select Settings, and then click Feeds.
    2. Click Add New.
    3. Configure the new feed settings.
      Step
      Screenshot
      Settings
      Set Properties
      		 GoogleSecOps_1=fa9eda37-d5e8-400a-88ad-578394b40bcf.png
      1. Specify a FEED NAME.
      2. Select Amazon S3 for SOURCE TYPE.
      3. Select the Trend Vision One data you want Google SecOps to ingest for LOG TYPE. Available options include:
        • Trend Micro Vision One Activity
        • Trend Micro Vision One Detections
        • Trend Micro Vision One Container Vulnerabilities
        • Trend Micro Vision One Workbench
        • Trend Micro Vision One Audit
        • Trend Micro Vision One Observed Attack Techniques
      4. Click Next.
      Input Parameters
      		 GoogleSecOps_2=51129d62-7464-4094-9b0c-a2a09677f945.png
      1. Select Auto Detect for REGION.
      2. Paste the S3 URI obtained in the previous step in S3 URI.
      3. Select Directory which includes subdirectories for URI IS A.
      4. Select Never delete files for SOURCE DELETION OPTION.
      5. Paste the access key ID and secrete access key obtained in the previous step into ACCESS KEY ID and SECRET ACCESS KEY.
      6. Click NEXT.
      Finalize
      		 GoogleSecOps_3=b35ba15a-045d-4b60-8be6-f2fa79e60cb3.png
      1. Review your new feed settings.
      2. Click SUBMIT.
    4. Repeat to add multiple feeds for all the data types.
    For more information on creating and managing feeds, see the Google SecOps documentation.
    Google SecOps begins to pull Trend Vision One data from the S3 buckets approximately every 15 minutes.