LinkedIn
Twitter
Hey Folks,
I'm a bit stuck and would really appreciate some help.
I'm trying to pull logs the Trend Micro Vision one logs using Chronicle SOAR connector and below are the config:
I've used the Master administrator API key from TM vision one.
Please help to find out why am i not to pull logs and search in!!
Thanks
Hi @ylandovskyy
Yes, the testing tab seems to be working correctly:
Full output:
-------------------------------------------------------------------------------------------------------
No data found for property key: overflow_settings
***** This is an "IDE Play Button"\"Run Connector once" test run ******
------------------- Main - Param Init -------------------
API Root: https://api.in.xdr.trendmicro.com
Verify SSL: true
Paramter Environment Field Name was not found or was empty, used default_value None instead
Environment Regex Pattern: .*
PythonProcessTimeout: 180
Paramter Lowest Severity To Fetch was not found or was empty, used default_value None instead
Max Hours Backwards: 1
Max Alerts To Fetch: 10
Use dynamic list as a blocklist: false
------------------- Main - Started -------------------
No data found for property key: ids
Key: "ids" does not exist in the database. Returning default value instead: []
Successfully loaded 0 existing alerts.
No data found for property key: timestamp
Last success time. Date time:2025-03-03 15:16:33.763907+00:00. Unix:1741014993763
Fetched 0 alerts
This is a TEST run. Only 1 alert will be processed.
Alerts processed: 0 out of 0
Created total of 0 cases
------------------- Main - Finished -------------------
Dynamic script connector completed successfully but returned no cases..
--------------------------------------------------------------------------------------------------------------------
Where do I find these alerts any particular query that I could use to see if logs are correctly coming to chronicle?
Thanks
My suggestion would be to go to Search -> SOAR Search. Inside of it, set a filter for Cases that contain an alert with Trend Vision One Product.
I don't have your connector installed, but here is an image for reference. In my screenshot I am searching for Cases that contain a Google Forms alert in the last 24 hours.
I am receiving the alerts via log forwarding and the logs looks like we are not receiving all the needed fields/ logs. Hence, I was trying with API SOAR connector and for this workbench ID I dont see any logs. More details below
Raw Logs:
<130>Mar 03 2025 16:29:01 tpi-external-in.xdr.trendmicro.com CEF:0|Trend Micro|Trend Vision One|1.0.0|900001|Trend Vision One Workbench Alert|9|rt=Mar 03 2025 16:27:05 cat=Registry Change cn1=2 cs1=https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11452-20250303-00014?ref\=f4c674ed41a4a1f06600c86a4c2fe2f5b0ac56ee msg= cn1Label=Impact Scope Count cs1Label=Workbench Link externalId=WB-11452-20250303-00014 sourceServiceName=SAE
Search result:
Not sure where the logs are going to??
Thanks
