Table of contents

Integrate Trend Cloud One with Amazon Security Lake

This feature is part of a controlled release and is in Preview. Content on this page is subject to change.

Amazon Security Lake is a data lake for security logs, built in your account. The data lake is backed by an Amazon S3 bucket and organizes data as a set of Lake Formation tables. Amazon Security Lake is designed to optimize the cost of storing and querying massive security log sources while maintaining good query performance and compatibility with a wide variety of analytic infrastructure. Amazon Security Lake customers retain low-level ownership of their data. Amazon Security Lake also delivers a set of core AWS-native security logs, minimizing costs and maximizing performance.

Trend Cloud One Workload Security provides the following information from your VMs and cloud workloads:

  • Process activity
  • File activity
  • Registry Value activity
  • Network activity
  • DNS Query activity
  • User Account activity

Supported regions

Trend Cloud One supports Amazon Security Lake in the following regions:

Region Code Region Name (location)
us-1 us-east-1 (N. Virginia)
au-1 ap-southeast-2 (Sydney)
jp-1 ap-northeast-1 (Tokyo)
de-1 eu-central-1 (Frankfurt)

Integrate Amazon Security Lake

  1. Integrate Workload Security with Trend Vision One and enable Activity Monitoring.
  2. Enable Amazon Security Lake on your AWS account (see Amazon Security Lake User Guide).
  3. Create a custom resource for integration with Workload Security, as follows:
    1. Open the Security Lake console.
    2. By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to create the custom source.
    3. Choose Custom sources in the navigation pane, and then choose Create custom source.
    4. In the Custom source details section, enter a globally unique name for your custom source. Then, select an OCSF event class that describes the type of data that the custom source will send to Security Lake.
    5. For AWS account with permission to write data, enter the AWS account ID and External ID of the custom source that will write logs and events to the data lake.

      The External ID is your Trend Cloud One Account ID and the AWS Account ID is the Trend Micro AWS account ID 868324285112.

    6. For Service Access, create and use a new service role or use an existing service role that gives Security Lake permission to invoke AWS Glue.
    7. Choose Create.
    For more information, see Collecting data from custom sources.
  4. Invoke the integration API to forward data to your Amazon Security Lake:
    Use the following information to create the request in Postman or Paw:

    API: POST https://security-lake.{region}.cloudone.trendmicro.com/api/registrations/

        First header:
    
          Key: Authorization
          Value: APIKey {your API key} (no braces)
    
        Second header:
    
          Key: api-version
          Value: v1
          Request Body JSON:
    
    Attribute Type Description
    eventClass enum One of:
    1. file-activity
    2. process-activity
    3. network-activity
    4. registry-value-activity
    5. dns-activity
    6. account-change-audit
    providerAccountID string Your AWS account ID
    bucketName string The bucket name of the Amazon Security Lake S3 bucket
    prefix string The prefix(customSourceName) from the response of CreateCustomLogSource
    roleARN string When you create a Custom Log Source, the role is automatically created and uses the following naming convention: AmazonSecurity LakeLogProviderRole-<accountID>-<data source name>

    Example:

    
           {
             "eventClass":"process-activity",
             "providerAccountID":"123456789012",
             "bucketName":"aws-security-data-lake-us-east-1-o-rzodv08olg",
             "roleArn":"arn:aws:iam::123456789012:role/AmazonSecurityLake-Provider-test-us-east-1"
           }
           
  5. Invoke Trend Micro Integration API to deregister a specific event class and stop forwarding data to Amazon Security Lake:
    Use the following information to create the request in Postman or Paw:

    API: DELETE https://security-lake.{region}.cloudone.trendmicro.com/api/registrations/{eventClass}

        First header:
    
          Key: Authorization
          Value: ApiKey {your API key} (no braces)
    
        Second header:
    
          Key: api-version
          Value: v1
          Request Body JSON:
    
    Attribute Type Description
    eventClass enum One of:
    1. file-activity
    2. process-activity
    3. network-activity
    4. registry-value-activity
    5. dns-activity
    6. account-change-audit
  6. Use the Integration API to get the registrations information:

    API:

    URL: GET https://security-lake.{region}.cloudone.trendmicro.com/api/registrations/

        First header:
    
          Key: Authorization
          Value: ApiKey {your API key} (no braces)
    
        Second header:
    
          Key: api-version
          Value: v1
    

Data validation

After the integration procedure is complete, Trend Cloud One will start to convert activity data to OCSF format in a Parquet file and deliver data to your Amazon S3 bucket every 5 minutes.

You can add a keypath to include region, account, and event hour:

  • <region> is the AWS region where the data is uploaded. This is determined by the Trend Cloud One enrolled region.
  • <accountId> is the AWS account ID that the records pertain to.
  • <eventDay> is the date when the event occurred. Its format is YYYYMMDD.