[SIEMINT-85] DDS: Trend Micro Vision One XDR: Crawler Integration v1.0.0

[tirthrajchaudhari-crest]

What does this PR do?

This is a initial release PR of Trend Micro Vision One XDR integration including all the required assets.

Additional Notes

• Crawler code for this integration has been committed in its respective repo
• Pipeline and Facet group created for this integration are available in our sandbox and would be shared separately with the required teams.
• Samples for the pipeline review would also be shared separately with the required teams.
• OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository.
• Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current Datadog behaviour
• We have live data for Workbench Alerts, endpointActivity, and Detections from the OAT event type. However, for activities like cloudActivity, networkActivity, mobileActivity, containerActivity, emailActivity, and identityActivity, we do not have live data. Therefore, we have created data samples from the API documentation.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Changelog entries must be created for modifications to shipped code
• Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[buraizu]

Thanks, created DOCS-8655 to review

[cswatt]

Just a few small edits

[cswatt]

Suggested change

	[Trend Micro Vision One XDR][1] collects and automatically correlates data across multiple security layers - email, endpoint, server, cloud workload, and network. This allows for faster detection of threats and improved investigation and response times through security analysis.
	[Trend Micro Vision One XDR][1] collects and automatically correlates data across multiple security layers: email, endpoint, server, cloud workload, and network. This allows for faster detection of threats and improved investigation and response times through security analysis.

[tirthrajchaudhari-crest]

Done

[cswatt]

Suggested change

	This integration seamlessly collects all the above listed logs, channeling them into Datadog for analysis. Leveraging the built-in logs pipeline, these logs are parsed and enriched, enabling effortless search and analysis. The integration provides insight into workbench alerts and observed attack techniques through the out-of-the-box dashboards.
	This integration collects all the above listed logs and sends them to Datadog for analysis. Datadog uses the built-in logs pipeline to parse and enrich these logs, enabling effortless search and analysis. The integration provides insight into workbench alerts and observed attack techniques through the out-of-the-box dashboards.

[tirthrajchaudhari-crest]

Done

[cswatt]

Is there any setup required here?

[tirthrajchaudhari-crest]

We have added the setup configurations steps above. Can you please let us know the exact requirement here?

[cswatt]

Suggested change

"content": "This dashboard offers a comprehensive view of detected attack patterns across various data sources, including network traffic, application logs, and endpoint activities. \n\nThis allows you to visualize and analyze attack techniques in real time, enhancing their ability to identify and respond to threats quickly. \n\nFor more information, see the [Trend Micro Vision One XDR Integration Documentation](https://docs.datadoghq.com/integrations/trend_micro_vision_one_xdr).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations.\n",

"content": "This dashboard offers a comprehensive view of detected attack patterns across various data sources, including network traffic, application logs, and endpoint activities. \n\nThis allows you to visualize and analyze attack techniques in real time, enhancing your ability to identify and respond to threats quickly. \n\nFor more information, see the [Trend Micro Vision One XDR Integration Documentation](https://docs.datadoghq.com/integrations/trend_micro_vision_one_xdr).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n",

[tirthrajchaudhari-crest]

Done

[jnhunsberger]

A couple small changes are needed to the tile copy.

[jnhunsberger]

Please provide a description of what is contained in each endpoint

[tirthrajchaudhari-crest]

Done

[jnhunsberger]

Please add that we also offer out of the box detection rules for Ccloud SIEM customers.

[tirthrajchaudhari-crest]

Done

[jnhunsberger]

Looks good!

[apiazza-dd]

[nit] Can we bold "Workbench Alerts "and "Observed Attack Techniques"

[tirthrajchaudhari-crest]

Done

[apiazza-dd]

[nit] This integration collects logs from the sources listed above and sends them to Datadog for analysis with our Log Explorer and Cloud SIEM products

• https://docs.datadoghq.com/logs/explorer/
• https://www.datadoghq.com/product/cloud-siem/

[tirthrajchaudhari-crest]

Done

[apiazza-dd]

On > In

[tirthrajchaudhari-crest]

Done

[apiazza-dd]

"Specify the settings of the new API key." > "Specify the settings of the new API key with the following:"

[tirthrajchaudhari-crest]

Done

[apiazza-dd]

Please bold headings.

[tirthrajchaudhari-crest]

Done

[apiazza-dd]

Can we be more specific about which credentials, are they admin credentials?

[tirthrajchaudhari-crest]

Updated message with more specific details