Interpret data packages from the Trend Vision One data pipeline

This guide explains how to:

  • Interpret data packages downloaded from the Observed Attack Techniques pipeline and the Datalake pipeline.

  • Map numeric codes to their corresponding documentation and understand the structure of the data.

Use this guide to understand the fields in data exported from Trend Vision One.

Note:

This guide assumes you downloaded data packages from the Trend Vision One API.

Observed Attack Techniques pipeline packages

  1. Extract the data packages using an appropriate tool or library.

    The Observed Attack Techniques pipeline API returns archives in GZIP format. The archives have a JSON file with multiple JSON objects (one per line).

    {"processFileHashSha256": "8bbdead...", "processUserDomain": "NT AUTHORITY", "eventSubId": 503, "plang": 1, "pver": "1..."... // Additional fields omitted }
  2. Locate the eventSourceType field in the JSON file.
  3. Use the following mapping table to decide which activity data category corresponds to your log entries:

    eventSourceType

    EVENT_SOURCE_TYPE

    Activity data category

    Detailed schema documentation

    1

    EVENT_SOURCE_TELEMETRY

    ath-endpointActivityData

    Endpoint Activity Data.yaml

    2

    EVENT_SOURCE_JAGUAR

    ath-detections

    Detections.yaml

    3

    EVENT_SOURCE_EVENT_LOG

    ath-endpointActivityData

    Endpoint Activity Data.yaml

    5

    EVENT_SOURCE_EMAIL_META

    ath-emailActivityData

    Email Activity Data.yaml

    6

    EVENT_SOURCE_NETWORK_ACTIVITY

    ath-networkActivityData

    Network Activity Data and Secure Access Activity Data.yaml

    7

    EVENT_SOURCE_MOBILE_ACTIVITY

    ath-mobileActivityData

    Mobile Activity Data.yaml

    8

    EVENT_SOURCE_CONTAINER_ACTIVITY

    ath-containerActivityData

    Container Activity Data.yaml

    9

    EVENT_SOURCE_IDENTITY_ACTIVITY

    ath-identityActivityData

    Identity and Access Activity Data.yaml

    10

    EVENT_SOURCE_COLLABORATION_APP_ACTIVITY

    ath-emailActivityData

    Email Activity Data.yaml
  4. Access the detailed schema documentation based on your package type.
  5. View the schema details:
    1. Go to the API reference of the Get Observed Attack Techniques events API.
    2. Locate the schema information:

      1. Go to Get Observed Attack Techniques events > Responses

      2. Click to expand the "200" response.

      3. Expand the "items" object.

    3. Review the expanded schema showing all available fields and their descriptions.

Datalake pipeline packages

  1. Extract the data packages using an appropriate tool or library.

    The Datalake pipeline API returns archives in GZIP format. The archives have a JSON file with multiple JSON objects (one per line).

    {"processFileHashSha256": "8bbdead...", "processUserDomain": "NT AUTHORITY", "eventSubId": 503, "plang": 1, "pver": "1..."... // Additional fields omitted }
  2. Locate the eventSourceType field in the JSON file.
  3. Use the following mapping table to decide which activity data category corresponds to your log entries:

    eventSourceType

    Detailed schema documentation
    EVENT_SOURCE_TELEMETRY Endpoint Activity Data.yaml
    EVENT_SOURCE_JAGUAR Detections.yaml
    EVENT_SOURCE_EVENT_LOG Endpoint Activity Data.yaml
    EVENT_SOURCE_EMAIL_META Email Activity Data.yaml
    EVENT_SOURCE_NETWORK_ACTIVITY Network Activity Data and Secure Access Activity Data.yaml
    EVENT_SOURCE_MOBILE_ACTIVITY Mobile Activity Data.yaml
    EVENT_SOURCE_CONTAINER_ACTIVITY Container Activity Data.yaml
    EVENT_SOURCE_IDENTITY_ACTIVITY Identity and Access Activity Data.yaml
    EVENT_SOURCE_COLLABORATION_APP_ACTIVITY Email Activity Data.yaml
  4. Access the detailed schema documentation based on your package type.