Observed Attack Techniques (OAT)

Overview

Get a list of observed attack techniques. This endpoint is used to retrieve detailed attack activity observed across the environment and map it to the MITRE ATT&CK framework.

The response contains an array of activities under the items field.

Trendmicro uses nextLink-based pagination for the /oat endpoint. NextLink-based pagination relies on a link (nextLink) that gives the link for the next call. Each API response contains a nextLink field.

Configuration

Parameters

Name - domain

Value - trendMicroDomain

Secrets

After entering the required secrets, you can choose to manually enter the Trend Micro OAT fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your Cortex XDR multi alerts YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 0
  tz: UTC
  format: RFC3339
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "responseBodyLink"
  nextLinkSelector: ".nextLink"
  limit: 100
  request:
    method: GET
    url: "https://${parameters.trendMicroDomain}/v3.0/oat/detections"
    headers:
      - name: Accept
        value: application/json
      - name: Authorization
        value: "Bearer ${secrets.trendMicroBearerToken}"
    queryParams:
      - name: detectedStartDateTime
        value: "${temporalWindow.from}"
      - name: detectedEndDateTime
        value: "${temporalWindow.to}"
  output:
    select: ".items"
    map: "."
    outputMode: element

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - 0
Format - RFC3339

Authentication Phase

OFF

Enumeration Phase

OFF

Collection Phase

Pagination Type* - Next Link at Response body
Next Link Selector* - .nextLink
Request
Method* - GET
URL* - https://${parameters.trendMicroDomain}/v3.0/oat/detections
Headers -
- Name - Accept
- Value - application/json
- Name - Authorization
- Value - Bearer ${secrets.trendMicroBearerToken}
Query Params
- Name - detectedStartDateTime
- Value - ${temporalWindow.from}
- Name - detectedEndDateTime
- Value - ${temporalWindow.to}
Body type* - there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select raw and enter the {} placeholder.
Output
- Select - .items
- Map - .
- Output Mode - element

This HTTP Pull Listener now uses the API to extract events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousVision one NextWorkbench Alerts

Last updated 1 month ago

Was this helpful?