diff --git a/blog-service/2025-01-06-apps.md b/blog-service/2025-01-06-apps.md new file mode 100644 index 0000000000..1d8cd79427 --- /dev/null +++ b/blog-service/2025-01-06-apps.md @@ -0,0 +1,14 @@ +--- +title: Trend Micro Vision One (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - apps + - trend-micro +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +We're excited to introduce the new Trend Micro Vision One app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud Trend Micro Vision One source that collects alert logs data from the Trend Micro Vision One platform. This app helps you can gain real-time visibility into security events and incidents within your organization's infrastructure, allowing them to detect and react to potential threats quickly. [Learn more](/docs/integrations/saas-cloud/trend-micro-vision-one/). \ No newline at end of file diff --git a/cid-redirects.json b/cid-redirects.json index 831720e359..163897361e 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -1595,6 +1595,7 @@ "/cid/10193": "/docs/integrations/saas-cloud/asana", "/cid/10181": "/docs/integrations/saas-cloud/atlassian", "/cid/10197": "/docs/integrations/saas-cloud/symantec-web-security-service", + "/cid/6016": "/docs/integrations/saas-cloud/trend-micro-vision-one", "/cid/10112": "/docs/integrations/app-development/jfrog-xray", "/cid/10113": "/docs/observability/root-cause-explorer", "/cid/10116": "/docs/manage/fields", diff --git a/docs/integrations/product-list/product-list-m-z.md b/docs/integrations/product-list/product-list-m-z.md index c49a7f5a0e..b59fd2f96d 100644 --- a/docs/integrations/product-list/product-list-m-z.md +++ b/docs/integrations/product-list/product-list-m-z.md @@ -183,7 +183,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [ThreatMiner](https://www.threatminer.org/) | Automation integration: [ThreatMiner](/docs/platform-services/automation-service/app-central/integrations/threatminer/) | | Thumbnail icon | [ThreatQ](https://www.threatq.com/) | Automation integration: [ThreatQ](/docs/platform-services/automation-service/app-central/integrations/threatq/) | | Thumbnail icon | [Trellix](https://www.trellix.com/en-us/index.html) | Automation integrations:
- [FireEye AX](/docs/platform-services/automation-service/app-central/integrations/fireeye-ax/)
- [FireEye Central Management (CM)](/docs/platform-services/automation-service/app-central/integrations/fireeye-central-management-cm/)
- [FireEye Email Security (EX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-email-security-ex/)
- [FireEye Endpoint Security (HX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-endpoint-security-hx/)
- [FireEye Helix](/docs/platform-services/automation-service/app-central/integrations/fireeye-helix/)
- [FireEye Network Security (NX)](/docs/platform-services/automation-service/app-central/integrations/fireeye-network-security-nx/)
Cloud SIEM integrations:
- [FireEye](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/1430ab5c-7b8b-44e9-a8ec-83076fa374eb.md)
- [Trellix](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/9bec8407-4182-46ec-99dd-2adfade15652.md)
Collector: [Trellix mVision ePO Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trellix-mvisio-epo-source/) | -| Thumbnail icon | [Trend Micro](https://www.trendmicro.com/en_us/business.html) | App: [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/)
Automation integrations:
- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/)
- [Trend Micro Vision ONE](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/)
Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md)
Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)| +| Thumbnail icon | [Trend Micro](https://www.trendmicro.com/en_us/business.html) | Apps:
- [Trend Micro Deep Security](/docs/integrations/security-threat-detection/trend-micro-deep-security/)
- [Trend Micro Vision One](/docs/integrations/saas-cloud/trend-micro-vision-one/)
Automation integrations:
- [Trend Micro Deep Security](/docs/platform-services/automation-service/app-central/integrations/trend-micro-deep-security/)
- [Trend Micro Vision One](/docs/platform-services/automation-service/app-central/integrations/trend-micro-vision-one/)
Cloud SIEM integration: [Trend Micro](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/8af48b83-18bf-4233-ad51-db37baca0313.md)
Collector: [Trend Micro Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source)| | Thumbnail icon | [Trust Login](https://trustlogin.com/en/) | Collector: [Trust Login Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trust-login-source) | | Thumbnail icon | [Tufin](https://www.tufin.com/) | Automation integrations:
- [Tufin SecureChange](/docs/platform-services/automation-service/app-central/integrations/tufin-securechange/)
- [Tufin SecureTrack V2](/docs/platform-services/automation-service/app-central/integrations/tufin-securetrack-v2/) | diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index f1096fc25b..e8077e6d27 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -310,6 +310,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Gain comprehensive visibility and actionable insights into your organization's security posture.

+
+
+ icon

Trend Micro Vision One

 +

Analyze alert logs to detect potential security risks.

+
+
icon

Webex

 diff --git a/docs/integrations/saas-cloud/trend-micro-vision-one.md b/docs/integrations/saas-cloud/trend-micro-vision-one.md new file mode 100644 index 0000000000..67f6a4c4d7 --- /dev/null +++ b/docs/integrations/saas-cloud/trend-micro-vision-one.md @@ -0,0 +1,281 @@ +--- +id: trend-micro-vision-one +title: Trend Micro Vision One +sidebar_label: Trend Micro Vision One +description: The Trend Micro Vision One app for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +Trend-Micro-Vision-One-icon + +The Trend Micro Vision One app for Sumo Logic is designed to enhance the efficiency and effectiveness of security teams, offering a powerful solution for proactive threat monitoring and rapid incident response. With this app, you can gain real-time visibility into security events and incidents within your organization's infrastructure, allowing them to detect and react to potential threats quickly. It offers a suite of interactive dashboards with pre-configured visual tools like charts, graphs, and tables that provide a thorough view of all alerts and indicators. These features make it easier for teams to discern trends, patterns, and anomalies in your security data, ultimately strengthening your organization's security posture and protecting against advanced threats and attacks. + +:::info +This app includes [built-in monitors](#trend-micro-vision-one-monitors). For details on creating custom monitors, refer to the [Create monitors for Trend Micro Vision One app](#create-monitors-for-the-trend-micro-vision-one-app). +::: + +## Log types + +This app uses Sumo Logic’s Trend Micro Vision One Source to collect [alert logs](https://help.sumologic.com/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source/) from the Trend Micro platform. + +## Sample log message + +
+Alert Log + +```json +{ + "schemaVersion": "1.15", + "id": "WB-13276-20241108-00002", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-13276-20241108-00002?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", + "alertProvider": "SAE", + "modelId": "3cdd0c01-e0f1-4264-b013-4ff96ea4adb6", + "model": "Hacking Tool Detection - Blocked", + "modelType": "preset", + "score": 21, + "severity": "low", + "createdDateTime": "2024-11-08T09:51:33Z", + "updatedDateTime": "2024-11-08T09:51:39Z", + "ownerIds": [], + "incidentId": "IC-13276-20241108-00000", + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 0, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "host", + "entityValue": { + "guid": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E", + "name": "desktop-hj8smna", + "ips": [ + "10.50.10.212" + ] + }, + "entityId": "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6 + ], + "provenance": [ + "Alert" + ], + "managementScopeGroupId": "f70f8654-d627-42eb-8c1c-9762b5760db0" + } + ] + }, + "description": "A hacking tool, which is generally used for cracking computer and network security or by system administrators to test security, was detected and blocked on an endpoint.", + "matchedRules": [ + { + "id": "7310dc1a-49c4-4859-a851-c941f511009a", + "name": "Hacking Tool Detection - Blocked", + "matchedFilters": [ + { + "id": "a665ee2c-1568-466c-8a99-4744e02b180e", + "name": "Hacking Tool Detection - Blocked", + "matchedDateTime": "2024-11-08T09:43:02.000Z", + "mitreTechniqueIds": [], + "matchedEvents": [ + { + "uuid": "b028b186-f775-4e15-8654-01bab37bcf6b", + "matchedDateTime": "2024-11-08T09:43:02.000Z", + "type": "PRODUCT_EVENT_LOG" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "detection_name", + "field": "malName", + "value": "HKTL_MIMIKATZ", + "relatedEntities": [ + "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" + ], + "filterIds": [ + "a665ee2c-1568-466c-8a99-4744e02b180e" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "file_sha1", + "field": "fileHash", + "value": "", + "relatedEntities": [ + "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" + ], + "filterIds": [ + "a665ee2c-1568-466c-8a99-4744e02b180e" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "filename", + "field": "fileName", + "value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)", + "relatedEntities": [ + "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" + ], + "filterIds": [ + "a665ee2c-1568-466c-8a99-4744e02b180e" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "fullpath", + "field": "fullPath", + "value": "C:\\Users\\Crest\\Downloads\\Unconfirmed 198655.crdownload(mimikatz-master\\Win32\\mimidrv.sys)", + "relatedEntities": [ + "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" + ], + "filterIds": [ + "a665ee2c-1568-466c-8a99-4744e02b180e" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "text", + "field": "actResult", + "value": "File cleaned", + "relatedEntities": [ + "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" + ], + "filterIds": [ + "a665ee2c-1568-466c-8a99-4744e02b180e" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "text", + "field": "scanType", + "value": "Real-time Scan", + "relatedEntities": [ + "A7AD7812-BF2B-4AAA-B963-ABFC57E58A6E" + ], + "filterIds": [ + "a665ee2c-1568-466c-8a99-4744e02b180e" + ], + "provenance": [ + "Alert" + ] + } + ] +} +``` +
+ +## Sample queries + +```sql title="Total Alerts" +_sourceCategory="Labs/TrendMicroVisionOne" +| json "id", "status", "investigationResult", "workbenchLink", "alertProvider", "model", "modelType", "score", "severity", "createdDateTime", "updatedDateTime", "incidentId", "impactScope.desktopCount","impactScope.serverCount","impactScope.accountCount","impactScope.emailAddressCount","impactScope.containerCount","impactScope.cloudIdentityCount","description","indicators","impactScope.entities[*].entityType","matchedRules","matchedRules[*].matchedFilters[*].mitreTechniqueIds" as id,status,investigation_result,workbench_link,alert_provider,model,model_type,score,severity,created_date_time,updated_date_time, incident_id,desktop_count,server_count,account_count,email_address_count,container_count,cloud_identity_count,description,indicators,entity_types,matched_rules,mitre_techniques nodrop + +// extracting parameters +| extract field=indicators "(?\{[^}]*\})" multi nodrop +| extract field=matched_rules "(?\{[^}]*\})" multi nodrop +| extract field=entity_types "\"?(?[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop +| json field=updated_indicators "provenance" as provenance nodrop +| extract field=provenance "\"?(?[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop +| extract field=mitre_techniques "\"?(?[\w\s\-&.,]*)\"?[,\n\]]" multi nodrop + +// global filters +| where severity matches "{{severity}}" +| where status matches "{{status}}" +| where investigation_result matches "{{investigation_result}}" +| where alert_provider matches "{{alert_provider}}" +| where model_type matches "{{model_type}}" +| where model matches "{{model}}" +| where incident_id matches "{{incident_id}}" + +// panel specific +| count by id +| count +``` + +## Set up collection + +To set up the [Trend Micro Vision One Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trend-micro-source) for the Trend Micro Vision One app, follow the instructions provided. These instructions will guide you through the process of creating a source using the Trend Micro Vision One Source category, which you will need to use when installing the app. By following these steps, you can ensure that your Trend Micro Vision One app is properly integrated and configured to collect and analyze your Alerts data. + +## Installing the Trend Micro Vision One app​ + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing the Trend Micro Vision One dashboards​​ + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Trend Micro Vision One - Overview** dashboard provides details on security alerts, their severity, status, and distribution across different categories and time periods. + +Use this dashboard to: + +- Monitor the number and severity of security alerts in real-time, allowing for quick identification of high-priority threats. +- Analyze the distribution of alerts by provider, status, and investigation result to prioritize response efforts and allocate resources effectively. +- Track alert trends over time and correlate them with specific event types or indicators to identify patterns or emerging threats. +- Review the top affected entities and detection models to focus on the most critical assets and effective detection mechanisms. +
Trend-Micro-Vision-One-Overview + +## Create monitors for the Trend Micro Vision One app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Trend Micro Vision One monitors + +The Trend Micro Vision One monitors serve as a security tool, concentrating on observing essential operations and unusual occurrences within the Trend Micro Platform. These notifications offer instantaneous insight into significant events, allowing security personnel to swiftly react to deviations or breaches. + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Trend Micro Vision One - Credential Dumping Detection` | This alert is triggered if techniques aligned with MITRE ATT&CK `T1003` (Credential Dumping) is detected. Helps for early detection of compromised credentials. | Critical | Count > 0 | +| `Trend Micro Vision One - Critical Severity Alerts` | This alert is triggered if critical and high-severity alerts are detected that need urgent attention. | Critical | Count > 0| +| `Trend Micro Vision One - Endpoint Infection Impact Scope` | This alert is triggered if threats affecting multiple endpoints is detected. This helps teams to respond to potential spread. | Critical | Count > 0| +| `Trend Micro Vision One - Hacking Tools Detected and Blocked` | This alert is triggered if any unauthorized tools such as Mimikatz used for reconnaissance or attacks is identified. | Critical | Count > 0| +| `Trend Micro Vision One - Unresolved Alerts Aging Beyond SLA` | This alert is triggered if any overdue alerts that require escalation or follow-up is identified. | Critical | Count > 0| + +## Upgrading/Downgrading the Trend Micro Vision One app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Trend Micro Vision One app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + diff --git a/sidebars.ts b/sidebars.ts index ad6848825b..26c9581e86 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2486,6 +2486,7 @@ integrations: [ 'integrations/saas-cloud/sophos', 'integrations/saas-cloud/symantec-web-security-service', 'integrations/saas-cloud/tenable', + 'integrations/saas-cloud/trend-micro-vision-one', 'integrations/saas-cloud/webex', 'integrations/saas-cloud/workday', 'integrations/saas-cloud/zendesk', diff --git a/static/img/send-data/trend-micro-vision-one.png b/static/img/send-data/trend-micro-vision-one.png new file mode 100644 index 0000000000..5669c71853 Binary files /dev/null and b/static/img/send-data/trend-micro-vision-one.png differ