rebase release-3-1-0 from release-3-0-0 (#1109)

* Docs/general update (#1076) * Updated terraform version and git branch Signed-off-by: jack1902 <[email protected]> * removed step no longer required, as the choices are dynamically created based on the @StreamAlertOutput class decorator Signed-off-by: jack1902 <[email protected]> * reset to stable and changed note Signed-off-by: jack1902 <[email protected]> * [docs] Correcting URL in contributing.rst as previous a HTTP 404 error (#1081) Signed-off-by: jack1902 <[email protected]> * [core] Fix a parser bug when processing raw event encapsulated in a string (#1085) see issue: #1084 for more information Signed-off-by: jack1902 <[email protected]> * [unit test] Use single quote around strings (#1087) * [core] Adding trendmicro malware schema and rule (#1077) [testing] Added trendmicro schema and rule test Signed-off-by: jack1902 <[email protected]> * [terraform] Implemented a fix for the count error (#1089) [testing] fixed test for rules_engine assertion Signed-off-by: jack1902 <[email protected]> * [terraform] fixed destroy issue by reverting #1060 (#1093) This in-turn re-introduced #1047. I fixed this by ensuring that the cleanup function removes the metric_filters.tf.json file, otherwise terraform reads this in as part of its deployment. Signed-off-by: jack1902 <[email protected]> * [testing] enable trend tests, previously only schema (#1096) Signed-off-by: jack1902 <[email protected]> * [rule] Fix cloudtrail_public_resources (#1102) Signed-off-by: jack1902 <[email protected]> * [core] Updated cloudtrail:events optional_key (#1101) Updated the optional_top_level_keys for cloudtrail:events Signed-off-by: jack1902 <[email protected]> * [core] Added trendmicro normalized_types (#1105) Signed-off-by: jack1902 <[email protected]> * [outputs] add Microsoft Teams as an alerting output (#1079) * [core] Initial Microsoft Teams output code commit, looking for feedback Signed-off-by: jack1902 <[email protected]> * [testing] added TeamsOutput Testing (used slack tests as template), ammended list for output_base aswell Signed-off-by: jack1902 <[email protected]> * [docs] added Microsoft Teams to output documentation [setup] added pymsteams to reuirements-top-level and added sample-webhook to outputs.json Signed-off-by: jack1902 <[email protected]> * [core] Moved pymsteams to package.py [docs] Corrected docstring for teams and added teams to outputs [core] Added Alert section to card (didn't have the alert_id which made it confusing previously) [testing] re-wrote the tests Signed-off-by: jack1902 <[email protected]> * [core] Added dynamic_outputs to Rule (#1095) * Now possible to pass dynamic_outputs to the @rule decorator and have outputs be dynamically configured based on information in the record. For example, you could use lookup_tables to map an account_id to an owner which maps to an output [testing] Updated unit tests and added additional tests for new dynamic_outputs [docs] Added dynamic_outputs documentation Signed-off-by: jack1902 <[email protected]> * [core] added aws-ses as an output (#1082) [testing] added aws-ses output tests [docs] updated docs/source/outputs.rst to include aws ses [terraform] Added ses:SendRawEmail to tf_alert_processor_iam Signed-off-by: jack1902 <[email protected]> * [docs] added aws-ses to outputs.rst (#1103) Signed-off-by: jack1902 <[email protected]> * threat_intel_downloader module now uses tf_lambda module (#1074) * threat intel downloader terraform module now uses tf_lambda * small cleanups make for happier linters * fixed some stale references in the threat_intel_downloader terraform module Co-authored-by: jack1902 <[email protected]> Co-authored-by: darkjokelady <[email protected]> Co-authored-by: Garret Reece <[email protected]>
airbnb · Feb 4, 2020 · e82ef59 · e82ef59
1 parent 3540535
commit e82ef59
Show file tree

Hide file tree

Showing 20 changed files with 249 additions and 24 deletions.
diff --git a/.github/CONTRIBUTING.rst b/.github/CONTRIBUTING.rst
@@ -127,7 +127,7 @@ If you are adding features to existing classes with tests, you must add test cas
 Integration Testing
 ~~~~~~~~~~~~~~~~~~~
 
-To verify StreamAlert works from end-to-end, locally, follow the testing instructions `here <https://streamalert.io/rules.html>`_.
+To verify StreamAlert works from end-to-end, locally, follow the testing instructions `here <https://streamalert.io/en/stable/testing.html#running-tests>`_.
 
 Pull Request
 ------------

diff --git a/conf/clusters/prod.json b/conf/clusters/prod.json
@@ -17,7 +17,8 @@
     },
     "sns": {
       "prefix_cluster_sample_topic": [
-          "binaryalert"
+        "binaryalert",
+        "trendmicro"
       ]
     },
     "streamalert_app": {

diff --git a/conf/normalized_types.json b/conf/normalized_types.json
@@ -243,5 +243,10 @@
       "srcuser",
       "dstuser"
     ]
+  },
+  "trendmicro": {
+    "sourceAccount": [
+      "HostOwnerID"
+    ]
   }
 }
diff --git a/conf/schemas/cloudtrail.json b/conf/schemas/cloudtrail.json
@@ -60,6 +60,8 @@
         "resources",
         "serviceEventDetails",
         "sharedEventID",
+        "sourceIPAddress",
+        "userAgent",
         "vpcEndpointId"
       ]
     }

diff --git a/conf/schemas/trendmicro.json b/conf/schemas/trendmicro.json
@@ -0,0 +1,65 @@
+{
+  "trendmicro:malwareevent": {
+    "configuration": {
+      "json_path": "[*]",
+      "optional_top_level_keys": [
+        "AMTarget",
+        "AMTargetType",
+        "ContainerID",
+        "CreationTime",
+        "DetectedSHA1",
+        "InfectedFilePath",
+        "ModificationTime"
+      ]
+    },
+    "parser": "json",
+    "schema": {
+      "AMTarget": "string",
+      "AMTargetType": "string",
+      "AMTargetTypeString": "string",
+      "ATSEDetectionLevel": "integer",
+      "ContainerID": "string",
+      "CreationTime": "string",
+      "DetectedSHA1": "string",
+      "EngineType": "integer",
+      "EngineVersion": "string",
+      "ErrorCode": "integer",
+      "EventID": "integer",
+      "EventType": "string",
+      "HostAgentGUID": "string",
+      "HostAgentVersion": "string",
+      "HostCloudType": "string",
+      "HostGroupID": "integer",
+      "HostGroupName": "string",
+      "HostID": "integer",
+      "HostInstanceID": "string",
+      "HostOS": "string",
+      "HostOwnerID": "string",
+      "HostSecurityPolicyID": "integer",
+      "HostSecurityPolicyName": "string",
+      "Hostname": "string",
+      "InfectedFilePath": "string",
+      "LogDate": "string",
+      "MajorVirusType": "integer",
+      "MajorVirusTypeString": "string",
+      "MalwareName": "string",
+      "MalwareType": "integer",
+      "ModificationTime": "string",
+      "Origin": "integer",
+      "OriginString": "string",
+      "PatternVersion": "string",
+      "Protocol": "integer",
+      "Reason": "string",
+      "ScanAction1": "integer",
+      "ScanAction2": "integer",
+      "ScanResultAction1": "integer",
+      "ScanResultAction2": "integer",
+      "ScanResultString": "string",
+      "ScanType": "integer",
+      "ScanTypeString": "string",
+      "Tags": "string",
+      "TenantID": "integer",
+      "TenantName": "string"
+    }
+  }
+}
diff --git a/docs/source/getting-started.rst b/docs/source/getting-started.rst
@@ -8,14 +8,14 @@ Install Dependencies
 --------------------
 
 1. Install Python 3.7 and `pip <https://pip.pypa.io/en/stable/installing/>`_
-2. Install `Terraform <https://www.terraform.io/intro/getting-started/install.html>`_ v0.11.X:
+2. Install `Terraform <https://www.terraform.io/intro/getting-started/install.html>`_ >= v0.12.9:
 
 .. code-block:: bash
 
   brew install terraform  # MacOS Homebrew
-  terraform --version     # Must be v0.11.X
+  terraform --version     # Must be >= v0.12.9
 
-.. note:: Terraform versions >= 0.12.X are not currently supported.
+.. note:: Terraform versions lower than 0.12 are not supported. Recommend to install terraform version 0.12.9 or up.
 
 3. Install `virtualenv <https://virtualenv.pypa.io/en/stable/installation/>`_:
 

diff --git a/docs/source/outputs.rst b/docs/source/outputs.rst
@@ -146,11 +146,7 @@ Adding support for a new service involves five steps:
 
 4. Add the ``@StreamAlertOutput`` class decorator to the new subclass so it registered when the `outputs` module is loaded.
 
-5. To allow the cli to configure a new integration for this service, add the value used above for the ``__service__`` property to the ``manage.py`` file.
-
-   - The ``output_parser`` contains a ``choices`` list for ``--service`` that must include this new service.
-
-6. Extend the ``AlertProcessorTester.setup_outputs`` method in ``streamalert_cli/test.py`` module to provide mock credentials for your new output.
+5. Extend the ``AlertProcessorTester.setup_outputs`` method in ``streamalert_cli/test.py`` module to provide mock credentials for your new output.
 
 Strategy
 --------

diff --git a/rules/community/cloudtrail/cloudtrail_public_resources.py b/rules/community/cloudtrail/cloudtrail_public_resources.py
@@ -51,7 +51,7 @@ def cloudtrail_public_resources(rec):
             policy_string = rec['requestParameters'].get('attributeValue', '')
     elif rec['eventName'] == 'CreateTopic':
         policy_string = (
-            rec.get('requestParameters', {}).get('attributes', '').get('Policy', '')
+            rec.get('requestParameters', {}).get('attributes', {}).get('Policy', '')
         )
 
     # Check ECR

diff --git a/rules/community/trendmicro/__init__.py b/rules/community/trendmicro/__init__.py
diff --git a/rules/community/trendmicro/trendmicro_malware_event.py b/rules/community/trendmicro/trendmicro_malware_event.py
@@ -0,0 +1,14 @@
+"""Alert on TrendMicro Malware events"""
+from streamalert.shared.rule import rule
+
+
+@rule(logs=['trendmicro:malwareevent'])
+def trendmicro_malware_event(_):
+    """
+    author:       jack (jack1902)
+    description:  Trend Micro identified malware on an agent
+    testing:      (a) Log on to a machine where Trend Agent is active
+                  (b) Upload EICAR Test File:
+                  http://docs.trendmicro.com/all/ent/de/v1.5/en-us/de_1.5_olh/ctm_ag/ctm1_ag_ch8/t_test_eicar_file.htm
+    """
+    return True
diff --git a/streamalert/classifier/parsers.py b/streamalert/classifier/parsers.py
@@ -241,6 +241,10 @@ def _key_check(cls, record, schema, optionals=None, is_envelope=False):
         if not schema:
             return True
 
+        # Expect the record is a dict. Return False (schema doesn't match) if it is not.
+        if not isinstance(record, dict):
+            return False
+
         schema_keys = set(schema)
 
         keys = set(record) if not optionals else set(record).union(optionals)

diff --git a/streamalert_cli/terraform/generate.py b/streamalert_cli/terraform/generate.py
@@ -362,17 +362,13 @@ def generate_cluster(config, cluster_name):
     return cluster_dict
 
 
-def cleanup_old_tf_files(config):
-    """Cleanup old .tf files, these are now .tf.json files per Hashicorp best practices"""
-    files_for_removal = set(config.clusters()).union({'athena', 'main'})
+def cleanup_old_tf_files():
+    """
+    Cleanup old *.tf.json files
+    """
     for terraform_file in os.listdir('terraform'):
-        if terraform_file == 'variables.tf':
-            continue
-
         if fnmatch(terraform_file, '*.tf.json'):
-            # Allow to retain misc files in the terraform/ directory
-            if terraform_file.split('.')[0] in files_for_removal:
-                os.remove(os.path.join('terraform', terraform_file))
+            os.remove(os.path.join('terraform', terraform_file))
 
 
 class TerraformGenerateCommand(CLICommand):
@@ -405,7 +401,7 @@ def terraform_generate_handler(config, init=False, check_tf=True, check_creds=Tr
     if check_tf and not terraform_check():
         return False
 
-    cleanup_old_tf_files(config)
+    cleanup_old_tf_files()
 
     # Setup the main.tf.json file
     LOGGER.debug('Generating cluster file: main.tf.json')

diff --git a/streamalert_cli/terraform/handlers.py b/streamalert_cli/terraform/handlers.py
@@ -233,7 +233,7 @@ def handler(cls, options, config):
         # Migrate back to local state so Terraform can successfully
         # destroy the S3 bucket used by the backend.
         # Do not check for terraform or aws creds again since these were checked above
-        if not terraform_generate_handler(config=config, init=False, check_tf=False,
+        if not terraform_generate_handler(config=config, init=True, check_tf=False,
                                           check_creds=False):
             return False
 

diff --git a/streamalert_cli/terraform/rules_engine.py b/streamalert_cli/terraform/rules_engine.py
@@ -42,6 +42,9 @@ def generate_rules_engine(config):
         'threat_intel_enabled': config.get('threat_intel', {}).get('enabled'),
         'dynamodb_table_name': config.get('threat_intel', {}).get('dynamodb_table_name'),
         'rules_table_arn': '${module.globals.rules_table_arn}',
+        'enable_rule_staging': config['global']['infrastructure']['rule_staging'].get(
+            'enabled', False
+        ),
         'classifier_sqs_queue_arn': '${module.globals.classifier_sqs_queue_arn}',
         'classifier_sqs_sse_kms_key_arn': '${module.globals.classifier_sqs_sse_kms_key_arn}',
         'sqs_record_batch_size': min(config.get('sqs_record_batch_size', 10), 10)

diff --git a/terraform/modules/tf_rules_engine/iam.tf b/terraform/modules/tf_rules_engine/iam.tf
@@ -24,14 +24,14 @@ data "aws_iam_policy_document" "read_threat_intel_table" {
 
 // Allow the Rules Engine to read the rules table
 resource "aws_iam_role_policy" "read_rules_table" {
-  count  = var.rules_table_arn == "" ? 0 : 1
+  count  = var.enable_rule_staging ? 1 : 0
   name   = "ReadRulesDynamoDB"
   role   = var.function_role_id
   policy = data.aws_iam_policy_document.read_rules_table[0].json
 }
 
 data "aws_iam_policy_document" "read_rules_table" {
-  count = var.rules_table_arn == "" ? 0 : 1
+  count = var.enable_rule_staging ? 1 : 0
 
   statement {
     effect = "Allow"

diff --git a/terraform/modules/tf_rules_engine/variables.tf b/terraform/modules/tf_rules_engine/variables.tf
@@ -30,6 +30,11 @@ variable "dynamodb_table_name" {
   default = "streamalert_threat_intel_ioc_table"
 }
 
+variable "enable_rule_staging" {
+  description = "Deploy rule staging resources if enabled"
+  default     = false
+}
+
 variable "rules_table_arn" {
   description = "ARN of the rules table for reading rule staging information"
 }

diff --git a/tests/integration/rules/cloudtrail/cloudtrail_quicksight.json b/tests/integration/rules/cloudtrail/cloudtrail_quicksight.json
@@ -0,0 +1,41 @@
+[
+    {
+        "data": {
+            "Records": [
+                {
+                    "eventVersion": "1.05",
+                    "userIdentity": {
+                        "arn": "arn",
+                        "accountId": "accountId",
+                        "userName": "userName",
+                        "type": "type"
+                    },
+                    "eventTime": "eventTime",
+                    "eventSource": "quicksight.amazonaws.com",
+                    "eventName": "QueryDatabase",
+                    "awsRegion": "awsRegion",
+                    "requestParameters": null,
+                    "responseElements": null,
+                    "eventID": "eventID",
+                    "readOnly": true,
+                    "eventType": "AwsServiceEvent",
+                    "recipientAccountId": "recipientAccountId",
+                    "serviceEventDetails": {
+                        "eventRequestDetails": {
+                            "dataSourceId": "dataSourceId",
+                            "queryId": "queryId",
+                            "resourceId": "resourceId",
+                            "dataSetId": "dataSetId",
+                            "dataSetMode": "dataSetMode"
+                        }
+                    }
+                }
+            ]
+        },
+        "description": "quicksight event via cloudtrail",
+        "log": "cloudtrail:events",
+        "service": "s3",
+        "source": "prefix.cluster.sample.bucket",
+        "validate_schema_only": true
+    }
+]
diff --git a/tests/integration/rules/trendmicro/trendmicro_schema.json b/tests/integration/rules/trendmicro/trendmicro_schema.json
@@ -0,0 +1,57 @@
+[
+    {
+        "data": "[{\"AMTargetTypeString\":\"N/A\",\"ATSEDetectionLevel\":0,\"CreationTime\":\"2019-07-16T09:34:31.000Z\",\"EngineType\":12345,\"EngineVersion\":\"version.number\",\"ErrorCode\":0,\"EventID\":1,\"EventType\":\"AntiMalwareEvent\",\"HostAgentGUID\":\"VALID_GUID\",\"HostAgentVersion\":\"VALID.AGENT.VERSION\",\"HostCloudType\":\"amazon\",\"HostGroupID\":1,\"HostGroupName\":\"test.eu-west-1a (subnet-test))\",\"HostID\":1,\"HostInstanceID\":\"i-fffffffffffffffff\",\"HostOS\":\"VALID_HOST_OS\",\"HostOwnerID\":\"123456789012\",\"HostSecurityPolicyID\":1,\"HostSecurityPolicyName\":\"POLICY_NAME\",\"Hostname\":\"HOSTNAME.eu-west-1.compute.amazonaws.com (SERVER NAME) [i-fffffffffffffffff]\",\"InfectedFilePath\":\"/tmp/virus\",\"LogDate\":\"2019-07-16T09:34:31.000Z\",\"MajorVirusType\":2,\"MajorVirusTypeString\":\"Virus\",\"MalwareName\":\"Eicar_test_file\",\"MalwareType\":1,\"ModificationTime\":\"2019-07-16T09:34:31.000Z\",\"Origin\":0,\"OriginString\":\"Agent\",\"PatternVersion\":\"PATTERN.VERSION\",\"Protocol\":0,\"Reason\":\"Advanced Real-Time Scan Configuration\",\"ScanAction1\":4,\"ScanAction2\":3,\"ScanResultAction1\":-81,\"ScanResultAction2\":0,\"ScanResultString\":\"Quarantined\",\"ScanType\":0,\"ScanTypeString\":\"Real Time\",\"Tags\":\"\",\"TenantID\":0,\"TenantName\":\"Primary\"}]",
+        "description": "Triggers an alert caused by trend malware event for Eicar_test_file",
+        "log": "trendmicro:malwareevent",
+        "service": "sns",
+        "source": "prefix_cluster_sample_topic",
+        "validate_schema_only": false,
+        "trigger_rules": [
+            "trendmicro_malware_event"
+        ]
+    },
+    {
+        "data": "[{\"AMTargetTypeString\": \"N/A\", \"ATSEDetectionLevel\": 0, \"EngineType\": 1074266112, \"EngineVersion\": \"6.2.0.4015\", \"ErrorCode\": 0, \"EventID\": 439, \"EventType\": \"AntiMalwareEvent\", \"HostAgentGUID\": \"FD8A64A9-F66C-49B5-B7AB-03E00EA09E53\", \"HostAgentVersion\": \"VALID.AGENT.VERSION\", \"HostCloudType\": \"amazon\", \"HostGroupID\": 1, \"HostGroupName\": \"test.eu-west-1a (subnet-test)\", \"HostID\": 8076, \"HostInstanceID\": \"i-fffffffffffffffff\", \"HostOS\": \"Windows\", \"HostOwnerID\": \"123456789012\", \"HostSecurityPolicyID\": 1, \"HostSecurityPolicyName\": \"Test_Policy\", \"Hostname\": \"HOSTNAME.eu-west-1.compute.amazonaws.com (SERVER NAME) [i-fffffffffffffffff]\", \"LogDate\": \"2019-07-07T15:36:52.000Z\", \"MajorVirusType\": 4, \"MajorVirusTypeString\": \"SPYWARE\", \"MalwareName\": \"Cookie_DoubleClick\", \"MalwareType\": 2, \"Origin\": 0, \"OriginString\": \"Agent\", \"PatternVersion\": \"\", \"Protocol\": 0, \"Reason\": \"Default Scheduled Scan Configuration\", \"ScanAction1\": 2, \"ScanAction2\": 0, \"ScanResultAction1\": 0, \"ScanResultAction2\": 0, \"ScanResultString\": \"Deleted\", \"ScanType\": 2, \"ScanTypeString\": \"Scheduled\", \"Tags\": \"\", \"TenantID\": 0, \"TenantName\": \"Primary\"}]",
+        "description": "Triggers an alert caused by trend malware event for Spyware",
+        "log": "trendmicro:malwareevent",
+        "service": "sns",
+        "source": "prefix_cluster_sample_topic",
+        "validate_schema_only": false,
+        "trigger_rules": [
+            "trendmicro_malware_event"
+        ]
+    },
+    {
+        "data": "[{\"AMTargetTypeString\": \"N\/A\", \"ATSEDetectionLevel\": 0, \"ContainerID\": \"\", \"CreationTime\": \"1970-01-01T00:00:00.000Z\", \"DetectedSHA1\": \"0000000000000000000000000000000000000000\", \"EngineType\": 1074790400, \"EngineVersion\": \"8.1.0.1002\", \"ErrorCode\": 0, \"EventID\": 460, \"EventType\": \"AntiMalwareEvent\", \"HostAgentGUID\": \"FD8A64A9-F66C-49B5-B7AB-03E00EA09E53\", \"HostAgentVersion\": \"VALID.AGENT.VERSION\", \"HostCloudType\": \"amazon\", \"HostGroupID\": 1, \"HostGroupName\": \"test.eu-west-1a (subnet-test)\", \"HostID\": 282, \"HostInstanceID\": \"i-fffffffffffffffff\", \"HostOS\": \"Windows\", \"HostOwnerID\": \"123456789012\", \"HostSecurityPolicyID\": 1, \"HostSecurityPolicyName\": \"Test_Policy\", \"Hostname\": \"HOSTNAME.eu-west-1.compute.amazonaws.com (SERVER NAME) [i-fffffffffffffffff]\", \"InfectedFilePath\": \"C:\\\\Users\\\\Local_Admin\\\\AppData\\\\Local\\\\Temp\\\\zdgaa\\\\gigoto.exe\", \"LogDate\": \"2019-07-16T12:45:30.000Z\", \"MajorVirusType\": 1, \"MajorVirusTypeString\": \"Trojan\", \"MalwareName\": \"HEU_AEGISCS918\", \"MalwareType\": 1, \"ModificationTime\": \"1970-01-01T00:00:00.000Z\", \"Origin\": 0, \"OriginString\": \"Agent\", \"PatternVersion\": \"123\", \"Protocol\": 0, \"Reason\": \"Advanced Real-Time Scan Configuration\", \"ScanAction1\": 3, \"ScanAction2\": 0, \"ScanResultAction1\": 0, \"ScanResultAction2\": 0, \"ScanResultString\": \"Quarantined\", \"ScanType\": 0, \"ScanTypeString\": \"Real Time\", \"Tags\": \"\", \"TenantID\": 0, \"TenantName\": \"Primary\"}]",
+        "description": "Triggers an alert caused by trend malware event for Trojan",
+        "log": "trendmicro:malwareevent",
+        "service": "sns",
+        "source": "prefix_cluster_sample_topic",
+        "validate_schema_only": false,
+        "trigger_rules": [
+            "trendmicro_malware_event"
+        ]
+    },
+    {
+        "data": "[{\"AMTargetTypeString\": \"N\/A\", \"ATSEDetectionLevel\": 2, \"ContainerID\": \"\", \"CreationTime\": \"2019-06-12T11:33:54.000Z\", \"DetectedSHA1\": \"0000000000000000000000000000000000000000\", \"EngineType\": 1207959846, \"EngineVersion\": \"10.0.0.1040\", \"ErrorCode\": 0, \"EventID\": 333, \"EventType\": \"AntiMalwareEvent\", \"HostAgentGUID\": \"FD8A64A9-F66C-49B5-B7AB-03E00EA09E53\", \"HostAgentVersion\": \"VALID.AGENT.VERSION\", \"HostCloudType\": \"amazon\", \"HostGroupID\": 1, \"HostGroupName\": \"test.eu-west-1a (subnet-test)\", \"HostID\": 11693, \"HostInstanceID\": \"i-fffffffffffffffff\", \"HostOS\": \"Windows\", \"HostOwnerID\": \"123456789012\", \"HostSecurityPolicyID\": 1, \"HostSecurityPolicyName\": \"Test_Policy\", \"Hostname\": \"HOSTNAME.eu-west-1.compute.amazonaws.com (SERVER NAME) [i-fffffffffffffffff]\", \"InfectedFilePath\": \"C:\\\\Windows\\\\Temp\\\\fmlFEA4.tmp(017296_Company Profile for COVEENSIPT.RTF)\", \"LogDate\": \"2019-06-12T11:33:54.000Z\", \"MajorVirusType\": 11, \"MajorVirusTypeString\": \"Aggressive Detection Rule\", \"MalwareName\": \"HEUR_RTFEXP.A\", \"MalwareType\": 3, \"ModificationTime\": \"2019-06-12T11:33:54.000Z\", \"Origin\": 0, \"OriginString\": \"Agent\", \"PatternVersion\": \"123\", \"Protocol\": 0, \"Reason\": \"Advanced Real-Time Scan Configuration\", \"ScanAction1\": 1, \"ScanAction2\": 0, \"ScanResultAction1\": 0, \"ScanResultAction2\": 0, \"ScanResultString\": \"Passed\", \"ScanType\": 0, \"ScanTypeString\": \"Real Time\", \"Tags\": \"\", \"TenantID\": 0, \"TenantName\": \"Primary\"}]",
+        "description": "Triggers an alert caused by trend malware event for Aggressive Detection Rule",
+        "log": "trendmicro:malwareevent",
+        "service": "sns",
+        "source": "prefix_cluster_sample_topic",
+        "validate_schema_only": false,
+        "trigger_rules": [
+            "trendmicro_malware_event"
+        ]
+    },
+    {
+        "data": "[{\"AMTarget\": \"C:\\\\Windows\\\\system32\\\\regsvr32.exe\", \"AMTargetType\": 1, \"AMTargetTypeString\": \"Process\", \"ATSEDetectionLevel\": 0, \"EngineType\": 1074790400, \"EngineVersion\": \"8.1.0.1002\", \"ErrorCode\": 0, \"EventID\": 445, \"EventType\": \"AntiMalwareEvent\", \"HostAgentGUID\": \"FD8A64A9-F66C-49B5-B7AB-03E00EA09E53\", \"HostAgentVersion\": \"VALID.AGENT.VERSION\", \"HostCloudType\": \"amazon\", \"HostGroupID\": 1, \"HostGroupName\": \"test.eu-west-1a (subnet-test)\", \"HostID\": 812, \"HostInstanceID\": \"i-fffffffffffffffff\", \"HostOS\": \"Windows\", \"HostOwnerID\": \"123456789012\", \"HostSecurityPolicyID\": 1, \"HostSecurityPolicyName\": \"Test_Policy\", \"Hostname\": \"HOSTNAME.eu-west-1.compute.amazonaws.com (SERVER NAME) [i-fffffffffffffffff]\", \"InfectedFilePath\": \"c:\\\\program files\\\\notepad++\\\\nppshell_06.dll\", \"LogDate\": \"2019-07-09T12:14:04.000Z\", \"MajorVirusType\": 14, \"MajorVirusTypeString\": \"Suspicious Activity\", \"MalwareName\": \"TM_MALWARE_BEHAVIOR\", \"MalwareType\": 4, \"Origin\": 0, \"OriginString\": \"Agent\", \"PatternVersion\": \"123\", \"Protocol\": 0, \"Reason\": \"Advanced Real-Time Scan Configuration\", \"ScanAction1\": 6, \"ScanAction2\": 0, \"ScanResultAction1\": 0, \"ScanResultAction2\": 0, \"ScanResultString\": \"Terminated\", \"ScanType\": 0, \"ScanTypeString\": \"Real Time\", \"Tags\": \"\", \"TenantID\": 0, \"TenantName\": \"Primary\"}]",
+        "description": "Triggers an alert caused by trend malware event for Suspicious Activity",
+        "log": "trendmicro:malwareevent",
+        "service": "sns",
+        "source": "prefix_cluster_sample_topic",
+        "validate_schema_only": false,
+        "trigger_rules": [
+            "trendmicro_malware_event"
+        ]
+    }
+]