CONN-4000: Trend micro vision one app doc

parth-sumo · parth-sumo · commit ead13feca8c1 · 2025-01-02T12:05:31.000+05:30
diff --git a/cid-redirects.json b/cid-redirects.json
@@ -1595,6 +1595,7 @@
   "/cid/10193": "/docs/integrations/saas-cloud/asana",
   "/cid/10181": "/docs/integrations/saas-cloud/atlassian",
   "/cid/10197": "/docs/integrations/saas-cloud/symantec-web-security-service",
+  "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one",
   "/cid/10112": "/docs/integrations/app-development/jfrog-xray",
   "/cid/10113": "/docs/observability/root-cause-explorer",
   "/cid/10116": "/docs/manage/fields",
diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md
@@ -183,7 +183,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/threatminer.png')} alt="Thumbnail icon" width="125"/> | [ThreatMiner](https://www.threatminer.org/) | Automation integration: [ThreatMiner](/docs/platform-services/automation-service/app-central/integrations/threatminer/) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/threatq.png')} alt="Thumbnail icon" width="75"/> | [ThreatQ](https://www.threatq.com/) | Automation integration: [ThreatQ](/docs/platform-services/automation-service/app-central/integrations/threatq/) |
 |  <img src={useBaseUrl('img/send-data/trellix-logo.png')} alt="Thumbnail icon" width="75"/>   | [Trellix](https://www.trellix.com/en-us/index.html)  | Automation integrations: <br/>- [FireEye AX](/docs/platform-services/automation-service/app-central/integrations/fireeye-ax/) <br/>- [FireEye Central Management (CM)](/docs/platform-services/automation-service/app-central/integrations/fireeye-central-management-cm/) <br/>- [FireEye Email Security (EX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-email-security-ex/) <br/>- [FireEye Endpoint Security (HX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-endpoint-security-hx/) <br/>- [FireEye Helix](/docs/platform-services/automation-service/app-central/integrations/fireeye-helix/) <br/>- [FireEye Network Security (NX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-network-security-nx/) <br/>Cloud SIEM integrations: <br/>- [FireEye](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1430ab5c-7b8b-44e9-a8ec-83076fa374eb.md) <br/>- [Trellix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9bec8407-4182-46ec-99dd-2adfade15652.md) <br/>Collector: [Trellix mVision ePO Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/)	 |
-|  <img src={useBaseUrl('https://upload.wikimedia.org/wikipedia/commons/f/f4/Trend_Micro_logo.svg')} alt="Thumbnail icon" width="75"/>   |  [Trend Micro](https://www.trendmicro.com/en_us/business.html) | App: [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/) <br/>Automation integrations: <br/>- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/) <br/>- [Trend Micro Vision ONE](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/) <br/>Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md) <br/>Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)| 
+|  <img src={useBaseUrl('https://upload.wikimedia.org/wikipedia/commons/f/f4/Trend_Micro_logo.svg')} alt="Thumbnail icon" width="75"/>   |  [Trend Micro](https://www.trendmicro.com/en_us/business.html) | Apps: <br/>- [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/) <br/>- [Trend Micro Vision One](/docs/integrations/saas-cloud/trend-micro-vision-one/) <br/>Automation integrations: <br/>- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/) <br/>- [Trend Micro Vision One](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/) <br/>Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md) <br/>Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)| 
 | <img src={useBaseUrl('img/send-data/trust-login-icon.png')} alt="Thumbnail icon" width="50"/> | [Trust Login](https://trustlogin.com/en/) | Collector: [Trust Login Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trust-login-source) | 
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/tufin-securechange.png')} alt="Thumbnail icon" width="75"/> | [Tufin](https://www.tufin.com/) | Automation integrations: <br/>- [Tufin SecureChange](/docs/platform-services/automation-service/app-central/integrations/tufin-securechange/) <br/>- [Tufin SecureTrack V2](/docs/platform-services/automation-service/app-central/integrations/tufin-securetrack-v2/) |
 
diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md
@@ -310,6 +310,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.
   <p>Gain comprehensive visibility and actionable insights into your organization's security posture.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/integrations/saas-cloud/trend-micro-vision-one"><img src={useBaseUrl('img/send-data/trend-micro-vision-one.png')} alt="icon" width="140"/><h4>Trend Micro Vision One</h4></a>
+  <p>Analyze alert logs to detect potential security risks.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/integrations/saas-cloud/webex"><img src={useBaseUrl('img/send-data/webex-logo.png')} alt="icon" width="70"/><h4>Webex</h4></a>
diff --git a/docs/integrations/saas-cloud/trend-micro-vision-one.md b/docs/integrations/saas-cloud/trend-micro-vision-one.md
@@ -0,0 +1,275 @@
+---
+id: trend-micro-vision-one
+title: Trend Micro Vision One
+sidebar_label: Trend Micro Vision One
+description: The Trend Micro Vision One App for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/send-data/trend-micro-vision-one.png')} alt="Trend-Micro-Vision-One-icon" width="50" />
+
+The Trend Micro Vision One App for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response. With this app, users gain real-time visibility into security events and incidents within their organization's infrastructure, allowing them to quickly detect and react to potential threats. It provides a suite of interactive dashboards that present a comprehensive view of all alerts and indicators, outfitted with pre-configured visual tools such as charts, graphs, and tables. These features make it easier for teams to discern trends, patterns, and anomalies in their security data, ultimately strengthening their organization's security posture and protecting against advanced threats and attacks.
+
+:::info
+This app includes [built-in monitors](#trend-micro-vision-one-monitors). For details on creating custom monitors, refer to [Create monitors for Trend Micro Vision One app](#create-monitors-for-trend-micro-vision-one-app).
+:::
+
+## Log types
+
+This app uses Sumo Logic’s Trend Micro Vision One Source to collect [alert logs](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source/) from Trend Micro platform.
+
+## Sample log messages
+
+```json title="Alert Log"
+{
+    "schemaVersion": "1.15",
+    "id": "WB-13276-20241108-00002",
+    "investigationStatus": "New",
+    "status": "Open",
+    "investigationResult": "No Findings",
+    "workbenchLink": "https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-13276-20241108-00002?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3",
+    "alertProvider": "SAE",
+    "modelId": "3cdd0c01-e0f1-4264-b013-4ff96ea4adb6",
+    "model": "Hacking Tool Detection - Blocked",
+    "modelType": "preset",
+    "score": 21,
+    "severity": "low",
+    "createdDateTime": "2024-11-08T09:51:33Z",
+    "updatedDateTime": "2024-11-08T09:51:39Z",
+    "ownerIds": [],
+    "incidentId": "IC-13276-20241108-00000",
+    "impactScope": {
+        "desktopCount": 1,
+        "serverCount": 0,
+        "accountCount": 0,
+        "emailAddressCount": 0,
+        "containerCount": 0,
+        "cloudIdentityCount": 0,
+        "entities": [
+            {
+                "entityType": "host",
+                "entityValue": {
+                    "guid": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E",
+                    "name": "desktop-hj8smna",
+                    "ips": [
+                        "10.50.10.212"
+                    ]
+                },
+                "entityId": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E",
+                "relatedEntities": [],
+                "relatedIndicatorIds": [
+                    1,
+                    2,
+                    3,
+                    4,
+                    5,
+                    6
+                ],
+                "provenance": [
+                    "Alert"
+                ],
+                "managementScopeGroupId": "f70f8654-d627-42eb-8c1c-9762b5760db0"
+            }
+        ]
+    },
+    "description": "A hacking tool, which is generally used for cracking computer and network security or by system administrators to test security, was detected and blocked on an endpoint.",
+    "matchedRules": [
+        {
+            "id": "7310dc1a-49c4-4859-a851-c941f511009a",
+            "name": "Hacking Tool Detection - Blocked",
+            "matchedFilters": [
+                {
+                    "id": "a665ee2c-1568-466c-8a99-4744e02b180e",
+                    "name": "Hacking Tool Detection - Blocked",
+                    "matchedDateTime": "2024-11-08T09:43:02.000Z",
+                    "mitreTechniqueIds": [],
+                    "matchedEvents": [
+                        {
+                            "uuid": "b028b186-f775-4e15-8654-01bab37bcf6b",
+                            "matchedDateTime": "2024-11-08T09:43:02.000Z",
+                            "type": "PRODUCT_EVENT_LOG"
+                        }
+                    ]
+                }
+            ]
+        }
+    ],
+    "indicators": [
+        {
+            "id": 1,
+            "type": "detection_name",
+            "field": "malName",
+            "value": "HKTL_MIMIKATZ",
+            "relatedEntities": [
+                "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
+            ],
+            "filterIds": [
+                "a665ee2c-1568-466c-8a99-4744e02b180e"
+            ],
+            "provenance": [
+                "Alert"
+            ]
+        },
+        {
+            "id": 2,
+            "type": "file_sha1",
+            "field": "fileHash",
+            "value": "",
+            "relatedEntities": [
+                "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
+            ],
+            "filterIds": [
+                "a665ee2c-1568-466c-8a99-4744e02b180e"
+            ],
+            "provenance": [
+                "Alert"
+            ]
+        },
+        {
+            "id": 3,
+            "type": "filename",
+            "field": "fileName",
+            "value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)",
+            "relatedEntities": [
+                "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
+            ],
+            "filterIds": [
+                "a665ee2c-1568-466c-8a99-4744e02b180e"
+            ],
+            "provenance": [
+                "Alert"
+            ]
+        },
+        {
+            "id": 4,
+            "type": "fullpath",
+            "field": "fullPath",
+            "value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)",
+            "relatedEntities": [
+                "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
+            ],
+            "filterIds": [
+                "a665ee2c-1568-466c-8a99-4744e02b180e"
+            ],
+            "provenance": [
+                "Alert"
+            ]
+        },
+        {
+            "id": 5,
+            "type": "text",
+            "field": "actResult",
+            "value": "File cleaned",
+            "relatedEntities": [
+                "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
+            ],
+            "filterIds": [
+                "a665ee2c-1568-466c-8a99-4744e02b180e"
+            ],
+            "provenance": [
+                "Alert"
+            ]
+        },
+        {
+            "id": 6,
+            "type": "text",
+            "field": "scanType",
+            "value": "Real-time Scan",
+            "relatedEntities": [
+                "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
+            ],
+            "filterIds": [
+                "a665ee2c-1568-466c-8a99-4744e02b180e"
+            ],
+            "provenance": [
+                "Alert"
+            ]
+        }
+    ]
+}
+```
+## Sample queries
+
+```sql title="Total Alerts"
+_sourceCategory="Labs/TrendMicroVisionOne"
+| json "id", "status", "investigationResult", "workbenchLink", "alertProvider", "model", "modelType", "score", "severity", "createdDateTime", "updatedDateTime", "incidentId", "impactScope.desktopCount","impactScope.serverCount","impactScope.accountCount","impactScope.emailAddressCount","impactScope.containerCount","impactScope.cloudIdentityCount","description","indicators","impactScope.entities[*].entityType","matchedRules","matchedRules[*].matchedFilters[*].mitreTechniqueIds" as id,status,investigation_result,workbench_link,alert_provider,model,model_type,score,severity,created_date_time,updated_date_time, incident_id,desktop_count,server_count,account_count,email_address_count,container_count,cloud_identity_count,description,indicators,entity_types,matched_rules,mitre_techniques nodrop
+
+// extracting parameters
+| extract field=indicators "(?<updated_indicators>\{[^}]*\})" multi nodrop
+| extract field=matched_rules "(?<updated_matched_rules>\{[^}]*\})" multi nodrop
+| extract field=entity_types "\"?(?<entity_type>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop
+| json field=updated_indicators "provenance" as provenance nodrop
+| extract field=provenance "\"?(?<indicator_source>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop
+| extract field=mitre_techniques "\"?(?<mitre_technique>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop
+
+// global filters
+| where severity matches "{{severity}}"
+| where status matches "{{status}}"
+| where investigation_result matches "{{investigation_result}}"
+| where alert_provider matches "{{alert_provider}}"
+| where model_type matches "{{model_type}}"
+| where model matches "{{model}}"
+| where incident_id matches "{{incident_id}}"
+
+// panel specific
+| count by id
+| count
+```
+
+## Set up collection
+
+To set up the [Trend Micro Vision One Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source) for the Trend Micro Vision One app, follow the instructions provided. These instructions will guide you through the process of creating a source using the Trend Micro Vision One Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Trend Micro Vision One app is properly integrated and configured to collect and analyze your Alerts data.
+
+## Installing the Trend Micro Vision One app​
+
+import AppInstall2 from '../../reuse/apps/app-install-v2.md';
+
+<AppInstall2/>
+
+## Viewing Trend Micro Vision One dashboards​​
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Overview
+
+The **Trend Micro Vision One - Overview** dashboard provides details on security alerts, their severity, status, and distribution across different categories and time periods. 
+Use this dashboard to:
+1. Monitor the number and severity of security alerts in real-time, allowing for quick identification of high-priority threats.
+2. Analyze the distribution of alerts by provider, status, and investigation result to prioritize response efforts and allocate resources effectively.
+3. Track alert trends over time and correlate them with specific event types or indicators to identify patterns or emerging threats.
+4. Review the top affected entities and detection models to focus on the most critical assets and effective detection mechanisms.
+<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/TrendMicroVisionOne/Trend-Micro-Vision-One-Overview.png' alt="Trend-Micro-Vision-One-Overview" />
+
+## Create monitors for Trend Micro Vision One app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Trend Micro Vision One monitors
+
+The Trend Micro Vision One Monitors serve as a security tool, concentrating on observing essential operations and unusual occurrences within the Trend Micro Platform. These notifications offer instantaneous insight into significant events, allowing security personnel to swiftly react to deviations or breaches.
+
+| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | 
+|:--|:--|:--|:--|
+| `Trend Micro Vision One - Credential Dumping Detection` | Detects techniques aligned with MITRE ATT&CK `T1003` (Credential Dumping) for early detection of compromised credentials. | Critical | Count > 0 |
+| `Trend Micro Vision One - Critical Severity Alerts` | Provides immediate visibility into critical and high-severity alerts that need urgent attention. | Critical | Count > 0|
+| `Trend Micro Vision One - Endpoint Infection Impact Scope` | Tracks threats affecting multiple endpoints, allowing teams to respond to potential spread. | Critical | Count > 0|
+| `Trend Micro Vision One - Hacking Tools Detected and Blocked` | Monitors unauthorized tools such as Mimikatz used for reconnaissance or attacks. | Critical | Count > 0|
+| `Trend Micro Vision One -  Unresolved Alerts Aging Beyond SLA` | Identifies overdue alerts that require escalation or follow-up. | Critical | Count > 0|
+
+
+## Upgrading the Trend Micro Vision One app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the Trend Micro Vision One app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>
diff --git a/sidebars.ts b/sidebars.ts
@@ -2486,6 +2486,7 @@ integrations: [
           'integrations/saas-cloud/sophos',
           'integrations/saas-cloud/symantec-web-security-service',
           'integrations/saas-cloud/tenable',
+          'integrations/saas-cloud/trend-micro-vision-one',
           'integrations/saas-cloud/webex',
           'integrations/saas-cloud/workday',
           'integrations/saas-cloud/zendesk',
diff --git a/static/img/send-data/trend-micro-vision-one.png b/static/img/send-data/trend-micro-vision-one.png
