# Observed Attack Techniques (OAT) ## Overview Get a list of observed attack techniques. This endpoint is used to retrieve detailed attack activity observed across the environment and map it to the MITRE ATT\&CK framework. * The response contains an array of activities under the `items` field. Trendmicro uses nextLink-based pagination for the /oat endpoint. NextLink-based pagination relies on a link (nextLink) that gives the link for the next call. Each API response contains a nextLink field. ## Configuration ### Parameters **Name** - domain **Value** - `trendMicroDomain` ### Secrets * `TrendMicroBearerToken` refers to the [Bearer Token ](https://docs.trendmicro.com/en-us/documentation/article/cloud-app-security-integration-api-online-help-generating-an-authen)used to authenticate the connection to Trend Micro.

To add a Secret, open the **Secret** fields and click **New secret**: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value** and paste the secret corresponding to the value. * Click **Save**.

{% hint style="info" %} Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management). {% endhint %} You can now select the secret you just created in the corresponding fields. After entering the required secrets, you can choose to manually enter the Trend Micro OAT fields, or simply paste the given YAML: {% tabs %} {% tab title="Config as YAML" %} Toggle this **ON** to enable a free text field where you can paste your **Cortex XDR multi alerts** YAML. ```yaml withTemporalWindow: true temporalWindow: duration: 5m offset: 5m tz: UTC format: RFC3339 withAuthentication: false withEnumerationPhase: false collectionPhase: paginationType: "responseBodyLink" responseBodyLinkSelector: ".nextLink" limit: 100 request: method: GET url: "https://${parameters.trendMicroDomain}/v3.0/oat/detections" headers: - name: Accept value: application/json - name: Authorization value: "Bearer ${secrets.trendMicroBearerToken}" queryParams: - name: detectedStartDateTime value: "${temporalWindow.from}" - name: detectedEndDateTime value: "${temporalWindow.to}" output: select: ".items" map: "." outputMode: element ``` {% endtab %} {% tab title="Manually configure" %} **Temporal Window** Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected. * **Duration -** 5 minutes (`5m`) as default, adjust based on your needs. * **Offset -** `5m` * **Format** - `RFC3339` **Authentication Phase** **OFF** #### **Enumeration Phase** **OFF** #### **Collection Phase** * **Pagination Type****\***** -** Next Link at Response body * **Next Link Selector****\***** -** .`nextLink` * **Response Body Link Selector** - `.nextLink` * **Request** * **Method****\***** -** `GET` * **URL****\***** -** `https://${parameters.trendMicroDomain}/v3.0/oat/detections` * **Headers -** * **Name** - Accept * **Value -** `application/json` * **Name** - Authorization * **Value -** B`earer ${secrets.trendMicroBearerToken}` * **Query Params** * **Name** - detectedStartDateTime * **Value -** `${temporalWindow.from}` * **Name** - detectedEndDateTime * **Value -** `${temporalWindow.to}` * **Body type****\***** -** there is no required body type because the parameters are included in the URL. However, these fields are mandatory, so select `raw` and enter the `{}` placeholder. * **Output** * **Select -** `.items` * **Map -** `.` * **Output Mode** - `element` {% endtab %} {% endtabs %} This HTTP Pull Listener now uses the API to extract events. Click **Create labels** to move on to the next step and define the required [Labels](https://docs.onum.com/the-workspace/listeners/labels) if needed.