-
Notifications
You must be signed in to change notification settings - Fork 228
CONN-4000: Trend micro vision one app doc #4913
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
himanshu219
merged 7 commits into
SumoLogic:main
from
parth-sumo:CONN-4000-trend-micro-vision-one-app-doc
Jan 6, 2025
Merged
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
ead13fe
CONN-4000: Trend micro vision one app doc
parth-sumo fef8c33
CONN-4000: Resolved comments
parth-sumo bd53787
Update trend-micro-vision-one.md
JV0812 c4daf2b
CONN-4000: Fix tags
parth-sumo 9d99146
Merge branch 'main' into CONN-4000-trend-micro-vision-one-app-doc
JV0812 6b85895
added release note
JV0812 b9741c8
minor fix
JV0812 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,275 @@ | ||
| --- | ||
| id: trend-micro-vision-one | ||
| title: Trend Micro Vision One | ||
| sidebar_label: Trend Micro Vision One | ||
| description: The Trend Micro Vision One App for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response. | ||
| --- | ||
|
|
||
| import useBaseUrl from '@docusaurus/useBaseUrl'; | ||
|
|
||
| <img src={useBaseUrl('img/send-data/trend-micro-vision-one.png')} alt="Trend-Micro-Vision-One-icon" width="50" /> | ||
|
|
||
| The Trend Micro Vision One App for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response. With this app, users gain real-time visibility into security events and incidents within their organization's infrastructure, allowing them to quickly detect and react to potential threats. It provides a suite of interactive dashboards that present a comprehensive view of all alerts and indicators, outfitted with pre-configured visual tools such as charts, graphs, and tables. These features make it easier for teams to discern trends, patterns, and anomalies in their security data, ultimately strengthening their organization's security posture and protecting against advanced threats and attacks. | ||
|
|
||
| :::info | ||
| This app includes [built-in monitors](#trend-micro-vision-one-monitors). For details on creating custom monitors, refer to [Create monitors for Trend Micro Vision One app](#create-monitors-for-trend-micro-vision-one-app). | ||
| ::: | ||
|
|
||
| ## Log types | ||
|
|
||
| This app uses Sumo Logic’s Trend Micro Vision One Source to collect [alert logs](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source/) from Trend Micro platform. | ||
JV0812 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| ## Sample log messages | ||
|
|
||
| ```json title="Alert Log" | ||
| { | ||
| "schemaVersion": "1.15", | ||
| "id": "WB-13276-20241108-00002", | ||
| "investigationStatus": "New", | ||
| "status": "Open", | ||
| "investigationResult": "No Findings", | ||
| "workbenchLink": "https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-13276-20241108-00002?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", | ||
| "alertProvider": "SAE", | ||
| "modelId": "3cdd0c01-e0f1-4264-b013-4ff96ea4adb6", | ||
| "model": "Hacking Tool Detection - Blocked", | ||
| "modelType": "preset", | ||
| "score": 21, | ||
| "severity": "low", | ||
| "createdDateTime": "2024-11-08T09:51:33Z", | ||
| "updatedDateTime": "2024-11-08T09:51:39Z", | ||
| "ownerIds": [], | ||
| "incidentId": "IC-13276-20241108-00000", | ||
| "impactScope": { | ||
| "desktopCount": 1, | ||
| "serverCount": 0, | ||
| "accountCount": 0, | ||
| "emailAddressCount": 0, | ||
| "containerCount": 0, | ||
| "cloudIdentityCount": 0, | ||
| "entities": [ | ||
| { | ||
| "entityType": "host", | ||
| "entityValue": { | ||
| "guid": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E", | ||
| "name": "desktop-hj8smna", | ||
| "ips": [ | ||
| "10.50.10.212" | ||
| ] | ||
| }, | ||
| "entityId": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E", | ||
| "relatedEntities": [], | ||
| "relatedIndicatorIds": [ | ||
| 1, | ||
| 2, | ||
| 3, | ||
| 4, | ||
| 5, | ||
| 6 | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ], | ||
| "managementScopeGroupId": "f70f8654-d627-42eb-8c1c-9762b5760db0" | ||
| } | ||
| ] | ||
| }, | ||
| "description": "A hacking tool, which is generally used for cracking computer and network security or by system administrators to test security, was detected and blocked on an endpoint.", | ||
| "matchedRules": [ | ||
| { | ||
| "id": "7310dc1a-49c4-4859-a851-c941f511009a", | ||
| "name": "Hacking Tool Detection - Blocked", | ||
| "matchedFilters": [ | ||
| { | ||
| "id": "a665ee2c-1568-466c-8a99-4744e02b180e", | ||
| "name": "Hacking Tool Detection - Blocked", | ||
| "matchedDateTime": "2024-11-08T09:43:02.000Z", | ||
| "mitreTechniqueIds": [], | ||
| "matchedEvents": [ | ||
| { | ||
| "uuid": "b028b186-f775-4e15-8654-01bab37bcf6b", | ||
| "matchedDateTime": "2024-11-08T09:43:02.000Z", | ||
| "type": "PRODUCT_EVENT_LOG" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "indicators": [ | ||
| { | ||
| "id": 1, | ||
| "type": "detection_name", | ||
| "field": "malName", | ||
| "value": "HKTL_MIMIKATZ", | ||
| "relatedEntities": [ | ||
| "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" | ||
| ], | ||
| "filterIds": [ | ||
| "a665ee2c-1568-466c-8a99-4744e02b180e" | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ] | ||
| }, | ||
| { | ||
| "id": 2, | ||
| "type": "file_sha1", | ||
| "field": "fileHash", | ||
| "value": "", | ||
| "relatedEntities": [ | ||
| "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" | ||
| ], | ||
| "filterIds": [ | ||
| "a665ee2c-1568-466c-8a99-4744e02b180e" | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ] | ||
| }, | ||
| { | ||
| "id": 3, | ||
| "type": "filename", | ||
| "field": "fileName", | ||
| "value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)", | ||
| "relatedEntities": [ | ||
| "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" | ||
| ], | ||
| "filterIds": [ | ||
| "a665ee2c-1568-466c-8a99-4744e02b180e" | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ] | ||
| }, | ||
| { | ||
| "id": 4, | ||
| "type": "fullpath", | ||
| "field": "fullPath", | ||
| "value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)", | ||
| "relatedEntities": [ | ||
| "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" | ||
| ], | ||
| "filterIds": [ | ||
| "a665ee2c-1568-466c-8a99-4744e02b180e" | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ] | ||
| }, | ||
| { | ||
| "id": 5, | ||
| "type": "text", | ||
| "field": "actResult", | ||
| "value": "File cleaned", | ||
| "relatedEntities": [ | ||
| "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" | ||
| ], | ||
| "filterIds": [ | ||
| "a665ee2c-1568-466c-8a99-4744e02b180e" | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ] | ||
| }, | ||
| { | ||
| "id": 6, | ||
| "type": "text", | ||
| "field": "scanType", | ||
| "value": "Real-time Scan", | ||
| "relatedEntities": [ | ||
| "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" | ||
| ], | ||
| "filterIds": [ | ||
| "a665ee2c-1568-466c-8a99-4744e02b180e" | ||
| ], | ||
| "provenance": [ | ||
| "Alert" | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
| ## Sample queries | ||
|
|
||
| ```sql title="Total Alerts" | ||
| _sourceCategory="Labs/TrendMicroVisionOne" | ||
| | json "id", "status", "investigationResult", "workbenchLink", "alertProvider", "model", "modelType", "score", "severity", "createdDateTime", "updatedDateTime", "incidentId", "impactScope.desktopCount","impactScope.serverCount","impactScope.accountCount","impactScope.emailAddressCount","impactScope.containerCount","impactScope.cloudIdentityCount","description","indicators","impactScope.entities[*].entityType","matchedRules","matchedRules[*].matchedFilters[*].mitreTechniqueIds" as id,status,investigation_result,workbench_link,alert_provider,model,model_type,score,severity,created_date_time,updated_date_time, incident_id,desktop_count,server_count,account_count,email_address_count,container_count,cloud_identity_count,description,indicators,entity_types,matched_rules,mitre_techniques nodrop | ||
|
|
||
| // extracting parameters | ||
| | extract field=indicators "(?<updated_indicators>\{[^}]*\})" multi nodrop | ||
| | extract field=matched_rules "(?<updated_matched_rules>\{[^}]*\})" multi nodrop | ||
| | extract field=entity_types "\"?(?<entity_type>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop | ||
| | json field=updated_indicators "provenance" as provenance nodrop | ||
| | extract field=provenance "\"?(?<indicator_source>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop | ||
| | extract field=mitre_techniques "\"?(?<mitre_technique>[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop | ||
|
|
||
| // global filters | ||
| | where severity matches "{{severity}}" | ||
| | where status matches "{{status}}" | ||
| | where investigation_result matches "{{investigation_result}}" | ||
| | where alert_provider matches "{{alert_provider}}" | ||
| | where model_type matches "{{model_type}}" | ||
| | where model matches "{{model}}" | ||
| | where incident_id matches "{{incident_id}}" | ||
|
|
||
| // panel specific | ||
| | count by id | ||
| | count | ||
| ``` | ||
|
|
||
| ## Set up collection | ||
|
|
||
| To set up the [Trend Micro Vision One Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source) for the Trend Micro Vision One app, follow the instructions provided. These instructions will guide you through the process of creating a source using the Trend Micro Vision One Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Trend Micro Vision One app is properly integrated and configured to collect and analyze your Alerts data. | ||
|
|
||
| ## Installing the Trend Micro Vision One app | ||
|
|
||
| import AppInstall2 from '../../reuse/apps/app-install-v2.md'; | ||
|
|
||
| <AppInstall2/> | ||
|
|
||
| ## Viewing Trend Micro Vision One dashboards | ||
JV0812 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| import ViewDashboards from '../../reuse/apps/view-dashboards.md'; | ||
|
|
||
| <ViewDashboards/> | ||
|
|
||
| ### Overview | ||
|
|
||
| The **Trend Micro Vision One - Overview** dashboard provides details on security alerts, their severity, status, and distribution across different categories and time periods. | ||
| Use this dashboard to: | ||
| 1. Monitor the number and severity of security alerts in real-time, allowing for quick identification of high-priority threats. | ||
JV0812 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| 2. Analyze the distribution of alerts by provider, status, and investigation result to prioritize response efforts and allocate resources effectively. | ||
| 3. Track alert trends over time and correlate them with specific event types or indicators to identify patterns or emerging threats. | ||
| 4. Review the top affected entities and detection models to focus on the most critical assets and effective detection mechanisms. | ||
| <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/TrendMicroVisionOne/Trend-Micro-Vision-One-Overview.png' alt="Trend-Micro-Vision-One-Overview" /> | ||
JV0812 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## Create monitors for Trend Micro Vision One app | ||
|
|
||
| import CreateMonitors from '../../reuse/apps/create-monitors.md'; | ||
|
|
||
| <CreateMonitors/> | ||
|
|
||
| ### Trend Micro Vision One monitors | ||
|
|
||
| The Trend Micro Vision One Monitors serve as a security tool, concentrating on observing essential operations and unusual occurrences within the Trend Micro Platform. These notifications offer instantaneous insight into significant events, allowing security personnel to swiftly react to deviations or breaches. | ||
JV0812 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| | Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | | ||
| |:--|:--|:--|:--| | ||
| | `Trend Micro Vision One - Credential Dumping Detection` | Detects techniques aligned with MITRE ATT&CK `T1003` (Credential Dumping) for early detection of compromised credentials. | Critical | Count > 0 | | ||
| | `Trend Micro Vision One - Critical Severity Alerts` | Provides immediate visibility into critical and high-severity alerts that need urgent attention. | Critical | Count > 0| | ||
| | `Trend Micro Vision One - Endpoint Infection Impact Scope` | Tracks threats affecting multiple endpoints, allowing teams to respond to potential spread. | Critical | Count > 0| | ||
| | `Trend Micro Vision One - Hacking Tools Detected and Blocked` | Monitors unauthorized tools such as Mimikatz used for reconnaissance or attacks. | Critical | Count > 0| | ||
| | `Trend Micro Vision One - Unresolved Alerts Aging Beyond SLA` | Identifies overdue alerts that require escalation or follow-up. | Critical | Count > 0| | ||
|
|
||
|
|
||
| ## Upgrading the Trend Micro Vision One app (Optional) | ||
|
|
||
| import AppUpdate from '../../reuse/apps/app-update.md'; | ||
|
|
||
| <AppUpdate/> | ||
|
|
||
| ## Uninstalling the Trend Micro Vision One app (Optional) | ||
|
|
||
| import AppUninstall from '../../reuse/apps/app-uninstall.md'; | ||
|
|
||
| <AppUninstall/> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.