Skip to content

CONN-4000: Trend micro vision one app doc #4913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jan 6, 2025
Merged

CONN-4000: Trend micro vision one app doc #4913

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ead13fe
CONN-4000: Trend micro vision one app doc
parth-sumo Jan 2, 2025
fef8c33
CONN-4000: Resolved comments
parth-sumo Jan 3, 2025
bd53787
Update trend-micro-vision-one.md
JV0812 Jan 3, 2025
c4daf2b
CONN-4000: Fix tags
parth-sumo Jan 3, 2025
9d99146
Merge branch 'main' into CONN-4000-trend-micro-vision-one-app-doc
JV0812 Jan 6, 2025
6b85895
added release note
JV0812 Jan 6, 2025
b9741c8
minor fix
JV0812 Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions blog-service/2025-01-06-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
title: Trend Micro Vision One (Apps)
image: https://help.sumologic.com/img/sumo-square.png
keywords:
- apps
- trend-micro
hide_table_of_contents: true
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<a href="https://help.sumologic.com/release-notes-service/rss.xml"><img src={useBaseUrl('img/release-notes/rss-orange2.png')} alt="icon" width="50"/></a>

We're excited to introduce the new Trend Micro Vision One app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Trend Micro Vision One source that collects alert logs data from the Trend Micro Vision One platform. This app helps you can gain real-time visibility into security events and incidents within your organization's infrastructure, allowing them to detect and react to potential threats quickly. [Learn more](/docs/integrations/saas-cloud/trend-micro-vision-one/).
1 change: 1 addition & 0 deletions cid-redirects.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1595,6 +1595,7 @@
"/cid/10193": "/docs/integrations/saas-cloud/asana",
"/cid/10181": "/docs/integrations/saas-cloud/atlassian",
"/cid/10197": "/docs/integrations/saas-cloud/symantec-web-security-service",
"/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one",
"/cid/10112": "/docs/integrations/app-development/jfrog-xray",
"/cid/10113": "/docs/observability/root-cause-explorer",
"/cid/10116": "/docs/manage/fields",
Expand Down
2 changes: 1 addition & 1 deletion docs/integrations/product-list/product-list-m-z.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
| <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/threatminer.png')} alt="Thumbnail icon" width="125"/> | [ThreatMiner](https://www.threatminer.org/) | Automation integration: [ThreatMiner](/docs/platform-services/automation-service/app-central/integrations/threatminer/) |
| <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/threatq.png')} alt="Thumbnail icon" width="75"/> | [ThreatQ](https://www.threatq.com/) | Automation integration: [ThreatQ](/docs/platform-services/automation-service/app-central/integrations/threatq/) |
| <img src={useBaseUrl('img/send-data/trellix-logo.png')} alt="Thumbnail icon" width="75"/> | [Trellix](https://www.trellix.com/en-us/index.html) | Automation integrations: <br/>- [FireEye AX](/docs/platform-services/automation-service/app-central/integrations/fireeye-ax/) <br/>- [FireEye Central Management (CM)](/docs/platform-services/automation-service/app-central/integrations/fireeye-central-management-cm/) <br/>- [FireEye Email Security (EX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-email-security-ex/) <br/>- [FireEye Endpoint Security (HX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-endpoint-security-hx/) <br/>- [FireEye Helix](/docs/platform-services/automation-service/app-central/integrations/fireeye-helix/) <br/>- [FireEye Network Security (NX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-network-security-nx/) <br/>Cloud SIEM integrations: <br/>- [FireEye](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1430ab5c-7b8b-44e9-a8ec-83076fa374eb.md) <br/>- [Trellix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9bec8407-4182-46ec-99dd-2adfade15652.md) <br/>Collector: [Trellix mVision ePO Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/) |
| <img src={useBaseUrl('https://upload.wikimedia.org/wikipedia/commons/f/f4/Trend_Micro_logo.svg')} alt="Thumbnail icon" width="75"/> | [Trend Micro](https://www.trendmicro.com/en_us/business.html) | App: [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/) <br/>Automation integrations: <br/>- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/) <br/>- [Trend Micro Vision ONE](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/) <br/>Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md) <br/>Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)|
| <img src={useBaseUrl('https://upload.wikimedia.org/wikipedia/commons/f/f4/Trend_Micro_logo.svg')} alt="Thumbnail icon" width="75"/> | [Trend Micro](https://www.trendmicro.com/en_us/business.html) | Apps: <br/>- [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/) <br/>- [Trend Micro Vision One](/docs/integrations/saas-cloud/trend-micro-vision-one/) <br/>Automation integrations: <br/>- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/) <br/>- [Trend Micro Vision One](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/) <br/>Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md) <br/>Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)|
| <img src={useBaseUrl('img/send-data/trust-login-icon.png')} alt="Thumbnail icon" width="50"/> | [Trust Login](https://trustlogin.com/en/) | Collector: [Trust Login Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trust-login-source) |
| <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/tufin-securechange.png')} alt="Thumbnail icon" width="75"/> | [Tufin](https://www.tufin.com/) | Automation integrations: <br/>- [Tufin SecureChange](/docs/platform-services/automation-service/app-central/integrations/tufin-securechange/) <br/>- [Tufin SecureTrack V2](/docs/platform-services/automation-service/app-central/integrations/tufin-securetrack-v2/) |

Expand Down
6 changes: 6 additions & 0 deletions docs/integrations/saas-cloud/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.
<p>Gain comprehensive visibility and actionable insights into your organization's security posture.</p>
</div>
</div>
<div className="box smallbox card">
<div className="container">
<a href="/docs/integrations/saas-cloud/trend-micro-vision-one"><img src={useBaseUrl('img/send-data/trend-micro-vision-one.png')} alt="icon" width="140"/><h4>Trend Micro Vision One</h4></a>
<p>Analyze alert logs to detect potential security risks.</p>
</div>
</div>
<div className="box smallbox card">
<div className="container">
<a href="/docs/integrations/saas-cloud/webex"><img src={useBaseUrl('img/send-data/webex-logo.png')} alt="icon" width="70"/><h4>Webex</h4></a>
Expand Down
281 changes: 281 additions & 0 deletions docs/integrations/saas-cloud/trend-micro-vision-one.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,281 @@
---
id: trend-micro-vision-one
title: Trend Micro Vision One
sidebar_label: Trend Micro Vision One
description: The Trend Micro Vision One app for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response.
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<img src={useBaseUrl('img/send-data/trend-micro-vision-one.png')} alt="Trend-Micro-Vision-One-icon" width="50" />

The Trend Micro Vision One app for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response. With this app, you can gain real-time visibility into security events and incidents within your organization's infrastructure, allowing them to detect and react to potential threats quickly. It offers a suite of interactive dashboards with pre-configured visual tools like charts, graphs, and tables that provide a thorough view of all alerts and indicators. These features make it easier for teams to discern trends, patterns, and anomalies in your security data, ultimately strengthening your organization's security posture and protecting against advanced threats and attacks.

:::info
This app includes [built-in monitors](#trend-micro-vision-one-monitors). For details on creating custom monitors, refer to the [Create monitors for Trend Micro Vision One app](#create-monitors-for-the-trend-micro-vision-one-app).
:::

## Log types

This app uses Sumo Logic’s Trend Micro Vision One Source to collect [alert logs](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source/) from the Trend Micro platform.

## Sample log message

<details>
<summary>Alert Log</summary>

```json
{
"schemaVersion": "1.15",
"id": "WB-13276-20241108-00002",
"investigationStatus": "New",
"status": "Open",
"investigationResult": "No Findings",
"workbenchLink": "https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-13276-20241108-00002?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3",
"alertProvider": "SAE",
"modelId": "3cdd0c01-e0f1-4264-b013-4ff96ea4adb6",
"model": "Hacking Tool Detection - Blocked",
"modelType": "preset",
"score": 21,
"severity": "low",
"createdDateTime": "2024-11-08T09:51:33Z",
"updatedDateTime": "2024-11-08T09:51:39Z",
"ownerIds": [],
"incidentId": "IC-13276-20241108-00000",
"impactScope": {
"desktopCount": 1,
"serverCount": 0,
"accountCount": 0,
"emailAddressCount": 0,
"containerCount": 0,
"cloudIdentityCount": 0,
"entities": [
{
"entityType": "host",
"entityValue": {
"guid": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E",
"name": "desktop-hj8smna",
"ips": [
"10.50.10.212"
]
},
"entityId": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E",
"relatedEntities": [],
"relatedIndicatorIds": [
1,
2,
3,
4,
5,
6
],
"provenance": [
"Alert"
],
"managementScopeGroupId": "f70f8654-d627-42eb-8c1c-9762b5760db0"
}
]
},
"description": "A hacking tool, which is generally used for cracking computer and network security or by system administrators to test security, was detected and blocked on an endpoint.",
"matchedRules": [
{
"id": "7310dc1a-49c4-4859-a851-c941f511009a",
"name": "Hacking Tool Detection - Blocked",
"matchedFilters": [
{
"id": "a665ee2c-1568-466c-8a99-4744e02b180e",
"name": "Hacking Tool Detection - Blocked",
"matchedDateTime": "2024-11-08T09:43:02.000Z",
"mitreTechniqueIds": [],
"matchedEvents": [
{
"uuid": "b028b186-f775-4e15-8654-01bab37bcf6b",
"matchedDateTime": "2024-11-08T09:43:02.000Z",
"type": "PRODUCT_EVENT_LOG"
}
]
}
]
}
],
"indicators": [
{
"id": 1,
"type": "detection_name",
"field": "malName",
"value": "HKTL_MIMIKATZ",
"relatedEntities": [
"A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
],
"filterIds": [
"a665ee2c-1568-466c-8a99-4744e02b180e"
],
"provenance": [
"Alert"
]
},
{
"id": 2,
"type": "file_sha1",
"field": "fileHash",
"value": "",
"relatedEntities": [
"A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
],
"filterIds": [
"a665ee2c-1568-466c-8a99-4744e02b180e"
],
"provenance": [
"Alert"
]
},
{
"id": 3,
"type": "filename",
"field": "fileName",
"value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)",
"relatedEntities": [
"A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
],
"filterIds": [
"a665ee2c-1568-466c-8a99-4744e02b180e"
],
"provenance": [
"Alert"
]
},
{
"id": 4,
"type": "fullpath",
"field": "fullPath",
"value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)",
"relatedEntities": [
"A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
],
"filterIds": [
"a665ee2c-1568-466c-8a99-4744e02b180e"
],
"provenance": [
"Alert"
]
},
{
"id": 5,
"type": "text",
"field": "actResult",
"value": "File cleaned",
"relatedEntities": [
"A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
],
"filterIds": [
"a665ee2c-1568-466c-8a99-4744e02b180e"
],
"provenance": [
"Alert"
]
},
{
"id": 6,
"type": "text",
"field": "scanType",
"value": "Real-time Scan",
"relatedEntities": [
"A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E"
],
"filterIds": [
"a665ee2c-1568-466c-8a99-4744e02b180e"
],
"provenance": [
"Alert"
]
}
]
}
```
</details>

## Sample queries

```sql title="Total Alerts"
_sourceCategory="Labs/TrendMicroVisionOne"
| json "id", "status", "investigationResult", "workbenchLink", "alertProvider", "model", "modelType", "score", "severity", "createdDateTime", "updatedDateTime", "incidentId", "impactScope.desktopCount","impactScope.serverCount","impactScope.accountCount","impactScope.emailAddressCount","impactScope.containerCount","impactScope.cloudIdentityCount","description","indicators","impactScope.entities[*].entityType","matchedRules","matchedRules[*].matchedFilters[*].mitreTechniqueIds" as id,status,investigation_result,workbench_link,alert_provider,model,model_type,score,severity,created_date_time,updated_date_time, incident_id,desktop_count,server_count,account_count,email_address_count,container_count,cloud_identity_count,description,indicators,entity_types,matched_rules,mitre_techniques nodrop

// extracting parameters
| extract field=indicators "(?<updated_indicators>\{[^}]*\})" multi nodrop
| extract field=matched_rules "(?<updated_matched_rules>\{[^}]*\})" multi nodrop
| extract field=entity_types "\"?(?<entity_type>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop
| json field=updated_indicators "provenance" as provenance nodrop
| extract field=provenance "\"?(?<indicator_source>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop
| extract field=mitre_techniques "\"?(?<mitre_technique>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop

// global filters
| where severity matches "{{severity}}"
| where status matches "{{status}}"
| where investigation_result matches "{{investigation_result}}"
| where alert_provider matches "{{alert_provider}}"
| where model_type matches "{{model_type}}"
| where model matches "{{model}}"
| where incident_id matches "{{incident_id}}"

// panel specific
| count by id
| count
```

## Set up collection

To set up the [Trend Micro Vision One Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source) for the Trend Micro Vision One app, follow the instructions provided. These instructions will guide you through the process of creating a source using the Trend Micro Vision One Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Trend Micro Vision One app is properly integrated and configured to collect and analyze your Alerts data.

## Installing the Trend Micro Vision One app​

import AppInstall2 from '../../reuse/apps/app-install-v2.md';

<AppInstall2/>

## Viewing the Trend Micro Vision One dashboards​​

import ViewDashboards from '../../reuse/apps/view-dashboards.md';

<ViewDashboards/>

### Overview

The **Trend Micro Vision One - Overview** dashboard provides details on security alerts, their severity, status, and distribution across different categories and time periods.

Use this dashboard to:

- Monitor the number and severity of security alerts in real-time, allowing for quick identification of high-priority threats.
- Analyze the distribution of alerts by provider, status, and investigation result to prioritize response efforts and allocate resources effectively.
- Track alert trends over time and correlate them with specific event types or indicators to identify patterns or emerging threats.
- Review the top affected entities and detection models to focus on the most critical assets and effective detection mechanisms.
<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/TrendMicroVisionOne/Trend-Micro-Vision-One-Overview.png' alt="Trend-Micro-Vision-One-Overview" />

## Create monitors for the Trend Micro Vision One app

import CreateMonitors from '../../reuse/apps/create-monitors.md';

<CreateMonitors/>

### Trend Micro Vision One monitors

The Trend Micro Vision One monitors serve as a security tool, concentrating on observing essential operations and unusual occurrences within the Trend Micro Platform. These notifications offer instantaneous insight into significant events, allowing security personnel to swiftly react to deviations or breaches.

| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition |
|:--|:--|:--|:--|
| `Trend Micro Vision One - Credential Dumping Detection` | This alert is triggered if techniques aligned with MITRE ATT&CK `T1003` (Credential Dumping) is detected. Helps for early detection of compromised credentials. | Critical | Count > 0 |
| `Trend Micro Vision One - Critical Severity Alerts` | This alert is triggered if critical and high-severity alerts are detected that need urgent attention. | Critical | Count > 0|
| `Trend Micro Vision One - Endpoint Infection Impact Scope` | This alert is triggered if threats affecting multiple endpoints is detected. This helps teams to respond to potential spread. | Critical | Count > 0|
| `Trend Micro Vision One - Hacking Tools Detected and Blocked` | This alert is triggered if any unauthorized tools such as Mimikatz used for reconnaissance or attacks is identified. | Critical | Count > 0|
| `Trend Micro Vision One - Unresolved Alerts Aging Beyond SLA` | This alert is triggered if any overdue alerts that require escalation or follow-up is identified. | Critical | Count > 0|

## Upgrading/Downgrading the Trend Micro Vision One app (Optional)

import AppUpdate from '../../reuse/apps/app-update.md';

<AppUpdate/>

## Uninstalling the Trend Micro Vision One app (Optional)

import AppUninstall from '../../reuse/apps/app-uninstall.md';

<AppUninstall/>
1 change: 1 addition & 0 deletions sidebars.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2486,6 +2486,7 @@ integrations: [
'integrations/saas-cloud/sophos',
'integrations/saas-cloud/symantec-web-security-service',
'integrations/saas-cloud/tenable',
'integrations/saas-cloud/trend-micro-vision-one',
'integrations/saas-cloud/webex',
'integrations/saas-cloud/workday',
'integrations/saas-cloud/zendesk',
Expand Down
Binary file added static/img/send-data/trend-micro-vision-one.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading