Views:
search-identifier elements define the specific patterns Trend Vision One uses to detect events. A filter can contain up to 19 search-identifier elements.

Components

{search-identifier key}:
    {List or object}
    {List or object}
    ....
    {List or object}
The following table outlines the components of search-identifier elements:
Component
Description
Search-identifier key
Key of the search-identifier.
List
List of strings that the filter attempts to localize in the detection logs. All elements in a list are matched using the "OR" operator.
Use the field names defined in the search method data sources to create lists.
eventSub:
    eventSubId:
        - TELEMETRY_CONNECTION_CONNECT_OUTBOUND
        - TELEMETRY_CONNECTION_CONNECT_INBOUND
Object
Objects consist of key-value pairs. All elements in an object are matched using the "AND" operator.
Use the field names defined in the search method data sources to create objects.
detection:
    selection:
        dpt:
            - 5650
            - 5655
        processCmd: '*-run_agent*'
    condition: selection
Note
Note
The following field names from the Cloud Activity Data source cannot be used in custom filters:
  • requestParameters
  • resources
  • responseElements
  • userIdentity

Guidelines

The following table outlines the guidelines to create search-identifier elements.
Section
Description
Strings
  • Strings are case-insensitive.
  • Enclose strings with apostrophes (').
    Example: eventName: 'GetParameter'
  • Use backslashes (\) to escape strings.
  • Escaping strings is only needed for the following characters:
    • Apostrophes (')
      Example: message: 'I don\'t know.'
    • Asterisks (*) when used as regular characters
      Example: string: '5 \* 2 = 10'
    • Backslashes (\) when used as regular characters
      Example: path: 'C:\\Windows\\notepad.exe'
    • Question marks (?)
      Example: url: 'https://www.google.com/search\?q=weather'
Wildcards
  • Use an asterisk (*) as a wildcard for unknown parts of the string. Do not use multiple asterisks (**) as wildcards.
  • The Trend Micro Sigma specification allows using the following special modifiers to facilitate the search of strings:
    • Check if a string finishes with the specified characters: *string
    • Check if a string starts with the specified characters: string*
    • Check if a string contains the specified characters: *string*
Important
Important
Fields marked as dynamic only support the special modifier *string*. Dynamic fields do not support exact match strings.
Numeric values
Numeric values do not require apostrophes.
Value modifiers
Value modifiers are not allowed in custom filters.

Special Field Values

  • Avoid using the following special field values:
    • Empty values ('', null)
    • Single character wildcards (?)
  • For the eventId and eventSubId fields of Endpoint Activity Data and Mobile Activity Data, use the data field mapping value instead of the numeric value.
    eventSubId: TELEMETRY_PROCESS_OPEN # Instead of eventSubId: 1