TrendAI - Telemetry updates verified via XDR Search pipeline

[MyPeaches]

Contribution Details

Updating existing TrendAI (formerly Trend Micro) telemetry values in "EDR_telem_windows.json" based on direct observation via the Vision One XDR Search pipeline (Endpoint Sensor telemetry, "eventId"/"eventSubId" mapping). Also renames the vendor key from "Trend Micro" to "TrendAI" to reflect the current brand name.

Telemetry Validation

All 8 fields were validated as natively collected by the Endpoint Sensor (pname: Endpoint Sensor, productCode: xes) on Windows Server 2022. Events are distinct standalone telemetry types not derived from Windows Event Logs.

| Sub-Category | Previous Value | New Value | eventId | eventSubId |
| File Opened | Via EnablingTelemetry | Yes | 2 – TELEMETRY_FILE | 102 – TELEMETRY_FILE_OPEN |
| File Deletion | Via EnablingTelemetry | Yes | 2 – TELEMETRY_FILE | 103 – TELEMETRY_FILE_DELETE |
| Local Account Creation | Via EventLogs | Yes | 6 – TELEMETRY_ACCOUNT | 501 – TELEMETRY_ACCOUNT_ADD |
| Local Account Deletion | Via EnablingTelemetry | Yes | 6 – TELEMETRY_ACCOUNT | 502 – TELEMETRY_ACCOUNT_DELETE |
| URL | No | Yes | 7 – TELEMETRY_INTERNET | 603 – TELEMETRY_INTERNET_DOWNLOAD |
| Pipe Creation | Via EnablingTelemetry | Yes | 17 – TELEMETRY_PIPE | 1401 – TELEMETRY_PIPE_CREATE |
| Pipe Connection | Via EnablingTelemetry | Yes | 17 – TELEMETRY_PIPE | 1402 – TELEMETRY_PIPE_CONNECT |
| Win32 API Telemetry | Pending Response | Yes | 14 – TELEMETRY_BM | 1102 – TELEMETRY_BM_INVOKE_API |

Documentation or Evidence:

• Official documentation (https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-eventid-eventsubid-mapping)
• Screenshots attached

Type of Contribution

• Updating existing telemetry information for an existing EDR product

Validation Details

EDR Product Information

• EDR Product Name: TrendAI Vision One (formerly Trend Micro)
• EDR Version: XES v1.2.0.6879
• Operating System(s) Tested: Windows Server 2022 Datacenter (64-bit) build 20348
• Data source: Endpoint Sensor

Screenshots

File Opened 'eventID:2 / eventSubId:102'

File Opened2 'eventID:2 / eventSubId:102'

File Delete1 'eventId:2 / eventSubId:103'

File Delete2 'eventId:2 / eventSubId:103'

Local Account Creation1 'eventId:6 / eventSubId:501'

Local Account Creation2 'eventId:6 / eventSubId:501'

Local Account Deletion1 'eventId:6 / eventSubId:502'

Local Account Deletion2 'eventId:6 / eventSubId:502'

Note that for the local account creation/deletion, the sensor captured processCmd showing the exact test commands that triggered the events implying sensor caught the action natively, not via event logs. Kindly let me know if theres any trouble!

URL1 'eventId:7 / eventSubId:603'

URL2 'eventId:7 / eventSubId:603'

URL3 'eventId:7 / eventSubId:603'

PipeCreation1 'eventId:17 / eventSubId:1401'

PipeCreation2 'eventId:17 / eventSubId:1401'

PipeCreation3 'eventId:17 / eventSubId:1401'

PipeConnection1 'eventId:17 / eventSubId:1402'

PipeConnection2 'eventId:17 / eventSubId:1402'

Win32APITelemetry1 'eventId:14 / eventSubId:1102'

Win32APITelemetry2 'eventId:14 / eventSubId:1102'

Let me know if further clarification is needed as I still have access to a console with populated data. Much appreciated!

[MyPeaches]

Ah! Forgot to add.. Which might cause a bit of confusion.. TrendAI's native eventId(s) can be unique... i.e..

Local Account Deletion1 'eventId:6 / eventSubId:502'

eventId:10 = Windows Event Log bridge > via EventLogs
eventId:6 = TrendAI's native telemetry_account sensor

Thank you!

[tsale]

@MyPeaches - Thanks for the detailed submission and the added context on eventId:10 vs native eventId:6. I reviewed this against the current methodology standard and current origin/main. Please chec out the following requested changes:

1. Add stronger evidence for Win32 API Telemetry.
   Please add either a raw/exported event or screenshot columns/details showing the actual invoked API/function name or equivalent API-specific payload fields, plus the controlled action used to generate it. Right now the evidence proves a generic TELEMETRY_BM_INVOKE_API subtype exists, but not what Win32 API detail is exposed to the analyst.

2. Add stronger evidence for Pipe Connection and Pipe Creation.
   Please add a raw/exported event or screenshot showing the pipe name/path/object field for eventSubId:1402, ideally with the process/user fields and the controlled action that created the connection. The current screenshots support the subtype but not the pipe target details.

3. Local Account Creation and deletion
   This looks like, in direct telemetry, we will need to see evidence of the account being deleted. Please provide evidence using our Windows telemetry generator.

Once the above evidence is added, I can re-review the remaining mapping changes quickly.