Observed Attack Techniques (OAT)

Toggle this ON to enable a free text field where you can paste your Cortex XDR multi alerts YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 0
  tz: UTC
  format: RFC3339
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "responseBodyLink"
  nextLinkSelector: ".nextLink"
  limit: 100
  request:
    method: GET
    url: "https://${parameters.trendMicroDomain}/v3.0/oat/detections"
    headers:
      - name: Accept
        value: application/json
      - name: Authorization
        value: "Bearer ${secrets.trendMicroBearerToken}"
    queryParams:
      - name: detectedStartDateTime
        value: "${temporalWindow.from}"
      - name: detectedEndDateTime
        value: "${temporalWindow.to}"
  output:
    select: ".items"
    map: "."
    outputMode: element

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

• Duration - 5 minutes (5m) as default, adjust based on your needs.

• Offset - 0

• Format - RFC3339

Authentication Phase

OFF

Enumeration Phase

OFF

Collection Phase

• Pagination Type* - Next Link at Response body

• Next Link Selector* - .nextLink

• Request

• Method* - GET

• URL* - https://${parameters.trendMicroDomain}/v3.0/oat/detections

• Headers -

  • Name - Accept

  • Value - application/json

  • Name - Authorization

  • Value - Bearer ${secrets.trendMicroBearerToken}

• Query Params

  • Name - detectedStartDateTime

  • Value - ${temporalWindow.from}

  • Name - detectedEndDateTime

  • Value - ${temporalWindow.to}

• Body type* - there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select raw and enter the {} placeholder.

• Output

  • Select - .items

  • Map - .

  • Output Mode - element