This document explains how to ingest Trend Micro Vision One Detections logs to
Google Security Operations using AWS S3. The parser transforms Trend Micro Vision
One Detections logs from JSON format into a Unified Data Model (UDM).
Before you begin
Make sure you have the following prerequisites:
Google SecOps instance
Privileged access to Trend Micro Vision One
Configure Logging on Trend Micro Vision One
Sign in to theTrend Micro Vision Oneconsole.
Go toWorkflow and Automation>Third-Party Integration.
ClickGoogle Security Operations SIEM.
UnderAccess key, clickGenerate key.
Copy and save theaccess key IDandsecret access key.
UnderData transfer, enable the toggle next toDetections Data.
An S3 URI is generated and the data begins to be sent to the corresponding S3 bucket.
Copy and save the S3 URL for use at a later time.
Set up feeds
To configure a feed, follow these steps:
Go toSIEM Settings>Feeds.
ClickAdd New Feed.
On the next page, clickConfigure a single feed.
In theFeed namefield, enter a name for the feed (for example,Trend Micro Vision One Detections Logs).
SelectAmazon S3as theSource type.
SelectTrend Micro Vision One Detectionsas theLog type.
ClickNext.
Specify values for the following input parameters:
Region: The region where the Amazon S3 bucket is located.
S3 URI: The bucket URI (the format should be:s3://log-bucket-name/).
Replace the following:
log-bucket-name: the name of the bucket.
URI is a: SelectDirectoryorDirectory which includes subdirectories.
Source deletion options: SelectNever delete files. Data in the S3 bucket is retained for 7 days before being purged.
Access Key ID: User access key with access to the S3 bucket.
Secret Access Key: User secret key with access to the S3 bucket.
ClickNext.
Review your new feed configuration in theFinalizescreen, and then clickSubmit.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Collect Trend Micro Vision One Detections logs\n==============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest Trend Micro Vision One Detections logs to\nGoogle Security Operations using AWS S3. The parser transforms Trend Micro Vision\nOne Detections logs from JSON format into a Unified Data Model (UDM).\n\nBefore you begin\n----------------\n\nMake sure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to Trend Micro Vision One\n\nConfigure Logging on Trend Micro Vision One\n-------------------------------------------\n\n1. Sign in to the **Trend Micro Vision One** console.\n2. Go to **Workflow and Automation \\\u003e Third-Party Integration**.\n3. Click **Google Security Operations SIEM**.\n4. Under **Access key** , click **Generate key**.\n5. Copy and save the **access key ID** and **secret access key**.\n6. Under **Data transfer** , enable the toggle next to **Detections Data**.\n7. An S3 URI is generated and the data begins to be sent to the corresponding S3 bucket.\n8. Copy and save the S3 URL for use at a later time.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings \\\u003e Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed (for example, `Trend Micro Vision One Detections Logs`).\n5. Select **Amazon S3** as the **Source type**.\n6. Select **Trend Micro Vision One Detections** as the **Log type**.\n7. Click **Next**.\n8. Specify values for the following input parameters:\n\n - **Region**: The region where the Amazon S3 bucket is located.\n - **S3 URI** : The bucket URI (the format should be: `s3://log-bucket-name/`). Replace the following:\n - `log-bucket-name`: the name of the bucket.\n - **URI is a** : Select **Directory** or **Directory which includes subdirectories**.\n - **Source deletion options** : Select **Never delete files**. Data in the S3 bucket is retained for 7 days before being purged.\n - **Access Key ID**: User access key with access to the S3 bucket.\n - **Secret Access Key**: User secret key with access to the S3 bucket.\n9. Click **Next**.\n\n10. Review your new feed configuration in the **Finalize** screen, and then click **Submit**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
