diff --git a/trend_micro_vision_one_xdr/CHANGELOG.md b/trend_micro_vision_one_xdr/CHANGELOG.md index ad58f16d9618d..ea8d6fcdffd9a 100644 --- a/trend_micro_vision_one_xdr/CHANGELOG.md +++ b/trend_micro_vision_one_xdr/CHANGELOG.md @@ -1,6 +1,6 @@ # CHANGELOG - trend-micro-vision-one-xdr -## 1.0.0 / 2024-08-06 +## 1.0.0 / 2024-08-20 ***Added***: diff --git a/trend_micro_vision_one_xdr/README.md b/trend_micro_vision_one_xdr/README.md index 9afce7a93e5e0..ec5e455eee1c0 100644 --- a/trend_micro_vision_one_xdr/README.md +++ b/trend_micro_vision_one_xdr/README.md @@ -1,43 +1,67 @@ -# Agent Check: trend-micro-vision-one-xdr - ## Overview -This check monitors [trend-micro-vision-one-xdr][1]. +[Trend Micro Vision One XDR][1] collects and automatically correlates data across multiple security layers: email, endpoint, server, cloud workload, and network. This allows for faster detection of threats and improved investigation and response times through security analysis. -## Setup +This integration ingests the following logs: -### Installation +- **Workbench Alerts**: This endpoint contains information about all the standalone alerts triggered by detection models. +- **Observed Attack Techniques**: This endpoint contains information about observed attack techniques from Detections, Endpoint Activity, Cloud Activity, Email Activity, Mobile Activity, Network Activity, Container Activity, and Identity Activity data sources. -The trend-micro-vision-one-xdr check is included in the [Datadog Agent][2] package. -No additional installation is needed on your server. +This integration collects logs from the sources listed above and sends them to Datadog for analysis with our Log Explorer and Cloud SIEM products +* https://docs.datadoghq.com/logs/explorer/ +* https://www.datadoghq.com/product/cloud-siem/ + +## Setup ### Configuration -!!! Add list of steps to set up this integration !!! +#### Create API KEY from Trend Micro Vision One XDR + +1. In the Trend Vision One console, go to **Administration > API Keys** . +2. Generate a new authentication token. Click **Add API key**. Specify the settings of the new API key with the following: + - **Name**: A meaningful name that can help you identify the API key + - **Role**: The user role assigned to the key. Select **SIEM** from dropdown. + - **Expiration time**: The time the API key remains valid. + - **Status**: Whether the API key is enabled. + - **Details**: Extra information about the API key. +3. Click **Add**. +4. Copy and store the authentication token in a secure location. -### Validation -!!! Add steps to validate integration is functioning as expected !!! +#### Trend Micro Vision One XDR DataDog Integration Configuration + +Configure the Datadog endpoint to forward Trend Micro Vision One XDR logs to Datadog. + +1. Navigate to `Trend Micro Vision One XDR`. +2. Add your Trend Micro Vision One XDR Host Region and API Key. + +| Trend Micro Vision One XDR Parameters | Description | +| ------------------------------------- | ------------------------------------------------------------ | +| Host Region | The Region of your Trend Micro Vision One XDR Console | +| API Key | The API Key of your Trend Micro Vision One XDR Console | + ## Data Collected +### Logs +The Trend Micro Vision One XDR integration collects and forwards Workbench Alerts and Observed Attack Techniques logs to Datadog. + ### Metrics -trend-micro-vision-one-xdr does not include any metrics. +Trend Micro Vision One XDR does not include any metrics. ### Service Checks -trend-micro-vision-one-xdr does not include any service checks. +Trend Micro Vision One XDR does not include any service checks. ### Events -trend-micro-vision-one-xdr does not include any events. +Trend Micro Vision One XDR does not include any events. -## Troubleshooting +## Support -Need help? Contact [Datadog support][3]. +For further assistance, contact [Datadog Support][2]. -[1]: **LINK_TO_INTEGRATION_SITE** -[2]: https://app.datadoghq.com/account/settings/agent/latest -[3]: https://docs.datadoghq.com/help/ +[1]: https://www.trendmicro.com/en_in/business/products/detection-response/xdr.html +[2]: https://docs.datadoghq.com/help/ diff --git a/trend_micro_vision_one_xdr/assets/dashboards/trend_micro_vision_one_xdr_observed_attack_techniques.json b/trend_micro_vision_one_xdr/assets/dashboards/trend_micro_vision_one_xdr_observed_attack_techniques.json new file mode 100644 index 0000000000000..4be225045f8f2 --- /dev/null +++ b/trend_micro_vision_one_xdr/assets/dashboards/trend_micro_vision_one_xdr_observed_attack_techniques.json @@ -0,0 +1,5766 @@ +{ + "title": "Trend Micro Vision One XDR - Observed Attack Techniques", + "description": "This dashboard provides the insights into the Observed Attack Techniques detected in Trend Micro Vision One XDR.", + "widgets": [ + { + "id": 8859993632667998, + "definition": { + "title": "New group", + "banner_img": "https://www.trendmicro.com/content/dam/trendmicro/global/en/global/logo/trend-micro-logo.png", + "show_title": false, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5872268233797356, + "definition": { + "type": "note", + "content": "This dashboard offers a comprehensive view of detected attack patterns across various data sources, including network traffic, application logs, and endpoint activities. \n\nThis allows you to visualize and analyze attack techniques in real time, enhancing your ability to identify and respond to threats quickly. \n\nFor more information, see the [Trend Micro Vision One XDR Integration Documentation](https://docs.datadoghq.com/integrations/trend_micro_vision_one_xdr).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + }, + { + "id": 2505837663829198, + "definition": { + "title": "OAT Overview", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6285436885924462, + "definition": { + "title": "Total OAT Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#dbcbfb" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 5929634824443710, + "definition": { + "title": "OAT Events by Risk Level over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.filterRiskLevel", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "semantic", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 6 + } + }, + { + "id": 1371112650735412, + "definition": { + "title": "OAT Details", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1439363259599552, + "definition": { + "title": "Total Critical Risk Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.filterRiskLevel:critical $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#c9080b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 3218088293970404, + "definition": { + "title": "Total High Risk Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.filterRiskLevel:high $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#edb25a" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 3151229309347954, + "definition": { + "title": "Total Medium Risk Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.filterRiskLevel:medium $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#9baaba" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 6866443553302436, + "definition": { + "title": "Total Low Risk Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.filterRiskLevel:low $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#9acbe3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 2 + } + }, + { + "id": 8174769258761820, + "definition": { + "title": "Total Info Risk Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.filterRiskLevel:info $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#c4c4c4" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 2 + } + }, + { + "id": 6074416801330922, + "definition": { + "title": "Top 10 Mitre Tactic IDs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@filters.mitreTacticIds", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1803733434734774, + "definition": { + "title": "Top Data Sources", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@source", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 2215400544264106, + "definition": { + "title": "Distribution of Events by Entity Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@entityType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @entityType:* $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 384677736861298, + "definition": { + "title": "Top 10 Detection Filters", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@filters.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 6556763808982186, + "definition": { + "title": "OAT Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@source", + "width": "auto" + }, + { + "field": "detail.filterRiskLevel", + "width": "auto" + }, + { + "field": "entityType", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 17 + } + }, + { + "id": 7441664145414468, + "definition": { + "title": "Endpoint Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5426472045914522, + "definition": { + "title": "Total Endpoint Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 1797626759894956, + "definition": { + "title": "Endpoint Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Endpoint Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7244503661490156, + "definition": { + "title": "Top 10 Events by Endpoints Host Name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.endpointHostName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4873343018560864, + "definition": { + "title": "Top 10 Events by Endpoint IP Address", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.endpointIp", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 2456709559745804, + "definition": { + "title": "Top 10 Source IP by Source Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@network.client.port", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5508251173144970, + "definition": { + "title": "Top 10 Destination IP by Destination Port", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@network.destination.port", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1783019166693998, + "definition": { + "title": "Distribution of Events by Event Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@event_type", + "limit": 15, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @event_type:* @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7389274854759678, + "definition": { + "title": "Top Logon Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.logonUser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 6775716525211552, + "definition": { + "title": "Endpoint Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:endpointActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "detail.endpointGuid", + "width": "auto" + }, + { + "field": "detail.endpointHostName", + "width": "auto" + }, + { + "field": "detail.endpointIp", + "width": "auto" + }, + { + "field": "detail.endpointHostName", + "width": "auto" + }, + { + "field": "event_type", + "width": "auto" + }, + { + "field": "detail.logonUser", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 20 + } + }, + { + "id": 3382060436808330, + "definition": { + "title": "Detections", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7913975426343580, + "definition": { + "title": "Total Detection Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 7404559020634436, + "definition": { + "title": "Detection Events over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Detection Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4896234807579516, + "definition": { + "title": "Top Actions", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.act", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4016760549511546, + "definition": { + "title": "Top Action Result", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.actResult", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 5800409051189904, + "definition": { + "title": "Top Blocking Reasons", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.blocking", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7197540351850338, + "definition": { + "title": "Top Device Hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.dhost", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1724194119716878, + "definition": { + "title": "Distribution of Events by Protocol Detected", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.app", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.app:* @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 2739411107609906, + "definition": { + "title": "Distribution of Events by Protocol Group Detected", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.appGroup", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.appGroup:* @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 8566407571327872, + "definition": { + "title": "Device Directions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.deviceDirection", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.deviceDirection:* @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 7099911258188320, + "definition": { + "title": "Product Detection Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.detectionType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.detectionType:* @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 2398974370166006, + "definition": { + "title": "Top Domain Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.domainName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 19, + "width": 4, + "height": 4 + } + }, + { + "id": 1682560909987186, + "definition": { + "title": "Top 10 File Detected", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.filePathName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 4, + "y": 19, + "width": 4, + "height": 4 + } + }, + { + "id": 7005889840181442, + "definition": { + "title": "Top Threat Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.threatName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 8, + "y": 19, + "width": 4, + "height": 4 + } + }, + { + "id": 4308613118972006, + "definition": { + "title": "Detection Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:detections $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 23, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 43, + "width": 12, + "height": 28 + } + }, + { + "id": 7032180084981088, + "definition": { + "title": "Cloud Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5833022494538560, + "definition": { + "title": "Total Cloud Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:cloudActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4182637362598996, + "definition": { + "title": "Cloud Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Cloud Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:cloudActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 7568428681071846, + "definition": { + "title": "Total Write Operation Performed", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:cloudActivityData @detail.readOnly:true $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 8558859139489130, + "definition": { + "title": "Event Categories", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.eventCategory", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.eventCategory:* @source:cloudActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 7807773836553110, + "definition": { + "title": "Top 10 Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:cloudActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 4, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 2257606243114956, + "definition": { + "title": "Event Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.eventType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @detail.eventType:* @source:cloudActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 8, + "y": 4, + "width": 4, + "height": 4 + } + }, + { + "id": 1255179917328080, + "definition": { + "title": "Cloud Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:cloudActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 71, + "width": 12, + "height": 13 + } + }, + { + "id": 5225002889620022, + "definition": { + "title": "Container Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8682625635013952, + "definition": { + "title": "Total Container Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8017593927935330, + "definition": { + "title": "Container Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Container Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2326603679404528, + "definition": { + "title": "Top 10 Container Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.containerName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4289729370071156, + "definition": { + "title": "Top 10 Cluster Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.clusterName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 6914438569647724, + "definition": { + "title": "Top 10 Kubernetes Namespace", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.k8sNamespace", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7733735783220814, + "definition": { + "title": "Top 10 Kubernetes Pod Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.k8sPodName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1216715765591240, + "definition": { + "title": "Container Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:containerActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 84, + "width": 12, + "height": 16 + } + }, + { + "id": 5014982733411700, + "definition": { + "title": "Network Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6516832094256714, + "definition": { + "title": "Total Network Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8306930229862398, + "definition": { + "title": "Network Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Network Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 4997970225554290, + "definition": { + "title": "Top 10 Endpoint Host Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.endpointHostName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 2841278197342448, + "definition": { + "title": "Top 10 Requested Destination URL", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.request", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 3434941617984460, + "definition": { + "title": "Top 10 Endpoint Device OS", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.osName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7216310309513982, + "definition": { + "title": "Top 10 Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8610890138397744, + "definition": { + "title": "Server TLS/SSL Versions", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.serverTls", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData @detail.serverTls:* $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + }, + { + "id": 2635979354461686, + "definition": { + "title": "Top 10 Username Domains", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.userDomain", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 5088776609128686, + "definition": { + "title": "Top 10 Requested Applications", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.application", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 4 + } + }, + { + "id": 96724062506078, + "definition": { + "title": "Network Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:networkActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 100, + "width": 12, + "height": 24 + } + }, + { + "id": 880749577972932, + "definition": { + "title": "Mobile Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1623790504315422, + "definition": { + "title": "Total Mobile Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8579406685105712, + "definition": { + "title": "Mobile Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Mobile Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7519541896726580, + "definition": { + "title": "Top 10 Endpoint Host Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.endpointHostName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 6429568756216956, + "definition": { + "title": "Top 10 Endpoint IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.endpointIp", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 4438383009755712, + "definition": { + "title": "Top 10 Logon User Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.logonUser", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7798335850604720, + "definition": { + "title": "Top 10 URL Requested", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.request", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1815967342253956, + "definition": { + "title": "Mobile Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:mobileActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 124, + "width": 12, + "height": 16 + } + }, + { + "id": 7920666364535808, + "definition": { + "title": "Email Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1852849719266772, + "definition": { + "title": "Total Email Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 7403349374850776, + "definition": { + "title": "Email Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Email Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7587841364240156, + "definition": { + "title": "Top 10 Email Subjects", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.mailMsgSubject", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 82111249629538, + "definition": { + "title": "Top 10 Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 7221221179953388, + "definition": { + "title": "Top 10 Sender Emails", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.mailFromAddresses", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 7496156592161118, + "definition": { + "title": "Top 10 Recipient Emails", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.mailToAddresses", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 5887080668923920, + "definition": { + "title": "Distribution of Events by Email Source Domain", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.mailSourceDomain", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData @detail.mailSourceDomain:* $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + }, + { + "id": 7155506506563030, + "definition": { + "title": "Email Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:emailActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 140, + "width": 12, + "height": 20 + } + }, + { + "id": 2272283074428766, + "definition": { + "title": "Identity Activity", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5244324327154682, + "definition": { + "title": "Total Identity Activity Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 8112885728146168, + "definition": { + "title": "Identity Activity Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Identity Activity Events", + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "datadog16", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 6172794607423558, + "definition": { + "title": "Top 10 Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 7877729730375302, + "definition": { + "title": "Top Sign-In Status", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.statusReason", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 3, + "width": 6, + "height": 4 + } + }, + { + "id": 12795879177476, + "definition": { + "title": "Identity Providers", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.idpName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData @detail.idpName:* $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 4137660944974898, + "definition": { + "title": "Top 10 Identity Provider Event Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@detail.eventName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8394399540196262, + "definition": { + "title": "Identity Event by Region", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 12, + "height": 4 + } + }, + { + "id": 5855205773926644, + "definition": { + "title": "Identity Activity Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:observed-attack-techniques @source:identityActivityData $Source $Risk-Level", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 160, + "width": 12, + "height": 20 + } + }, + { + "id": 2678913500799370, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8173895520076704, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Observed Attack Techniques logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "purple", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5867027343133690, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:critical $Source $Risk-Level" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 1786303523722774, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:high $Source $Risk-Level" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 2577399539515404, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:critical $Source $Risk-Level" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 6209523051868818, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:medium $Source $Risk-Level" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 8545904237338876, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:low $Source $Risk-Level" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 1657767111606620, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:info $Source $Risk-Level" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 8521511668485272, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:high $Source $Risk-Level" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [ + { + "label": "View related Security Signals", + "link": "/security?query=@workflow.rule.name:{{@workflow.rule.name.value}}&column=time&order=desc&view=signal&start={{timestamp_widget_start}}&end={{timestamp_widget_end}}&paused=false" + } + ], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 614168295558700, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:observed-attack-techniques status:medium $Source $Risk-Level" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 180, + "width": 12, + "height": 10 + } + } + ], + "template_variables": [ + { + "name": "Source", + "prefix": "@source", + "available_values": [], + "default": "*" + }, + { + "name": "Risk-Level", + "prefix": "@detail.filterRiskLevel", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/trend_micro_vision_one_xdr/assets/dashboards/trend_micro_vision_one_xdr_workbench_alerts.json b/trend_micro_vision_one_xdr/assets/dashboards/trend_micro_vision_one_xdr_workbench_alerts.json new file mode 100644 index 0000000000000..d7d2f4c3d07ee --- /dev/null +++ b/trend_micro_vision_one_xdr/assets/dashboards/trend_micro_vision_one_xdr_workbench_alerts.json @@ -0,0 +1,1696 @@ +{ + "title": "Trend Micro Vision One XDR - Workbench Alerts", + "description": "This dashboard provides the insights into the Alerts generated in Trend Micro Vision One XDR.", + "widgets": [ + { + "id": 8442478561211794, + "definition": { + "title": "New group", + "banner_img": "https://www.trendmicro.com/content/dam/trendmicro/global/en/global/logo/trend-micro-logo.png", + "show_title": false, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 661152336132838, + "definition": { + "type": "note", + "content": " Workbench alerts in a Datadog dashboard provide a centralized, real-time alerts generated in Trend Micro Vision One XDR. These alerts aggregate and offering insights into security incidents. \n\nThis holistic approach enhances visibility, improves incident response times, and supports proactive system management, ensuring robust and reliable application performance.\n\nFor more information, see the [Trend Micro Vision One XDR Integration Documentation](https://docs.datadoghq.com/integrations/trend_micro_vision_one_xdr).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + }, + { + "id": 395271531831574, + "definition": { + "title": "Workbench Alerts Overview", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6285436885924462, + "definition": { + "title": "Total Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f4bebe" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 1764028348108714, + "definition": { + "title": "Alerts by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id", + "interval": 600000 + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 6 + } + }, + { + "id": 5161758451345736, + "definition": { + "title": "Workbench Alerts", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7756629473135054, + "definition": { + "title": "Total Alerts with Critical Severity", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @severity:critical $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#c9080b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 2142172297914268, + "definition": { + "title": "Total Alerts with High Severity", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @severity:high $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#edb25a" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 7145178723253610, + "definition": { + "title": "Total Alerts with Medium Severity", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @severity:medium $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#9baaba" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 5555186778783376, + "definition": { + "title": "Total Alerts with Low Severity", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @severity:low $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#9acbe3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 6092838927988990, + "definition": { + "title": "Total Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@incidentId" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#f3f1af" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 2 + } + }, + { + "id": 1751665977588806, + "definition": { + "title": "Avg. Impact Score", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "avg", + "metric": "@trend_micro_vision_one_xdr.score" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#96edb5" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 2 + } + }, + { + "id": 4313997968959812, + "definition": { + "title": "Alerts by Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@status", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @status:* $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1221237570406462, + "definition": { + "title": "Top 5 Alerts Findings", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@investigationResult", + "limit": 5, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 5, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 2287855955637190, + "definition": { + "title": "Detection Model Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@modelType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @modelType:* $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 5034898244239830, + "definition": { + "title": "Top Alerts by Detection Model", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@model", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 4860186400202994, + "definition": { + "title": "Impact Scope Entity Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@impactScope.entities.entityType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts @impactScope.entities.entityType:* $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "hide_total": true, + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 6074416801330922, + "definition": { + "title": "Top 10 Mitre Technique IDs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@matchedRules.matchedFilters.mitreTechniqueIds", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 4, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 8237383137715168, + "definition": { + "title": "Top 10 Alerts Indicator Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@id" + }, + "group_by": [ + { + "facet": "@indicators.type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@id" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 8, + "y": 12, + "width": 4, + "height": 4 + } + }, + { + "id": 1121825025831222, + "definition": { + "title": "Top Alerts with High Impact Score", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "avg", + "metric": "@trend_micro_vision_one_xdr.score" + }, + "group_by": [ + { + "facet": "@id", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@trend_micro_vision_one_xdr.score" + } + }, + { + "facet": "@workbenchLink", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "avg", + "metric": "@trend_micro_vision_one_xdr.score" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "bar", + "alias": "Impact Score", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto", + "custom_links": [ + { + "label": "Trend Micro Workbench Alert", + "link": "{{@workbenchLink.value}}" + } + ] + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + }, + { + "id": 6556763808982186, + "definition": { + "title": "Workbench Alert Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trend-micro-vision-one-xdr service:alerts $Status $Incident-ID $Entity-Type $Alert-ID", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "@trend_micro_vision_one_xdr.score", + "width": "auto" + }, + { + "field": "incidentId", + "width": "auto" + }, + { + "field": "@status", + "width": "auto" + }, + { + "field": "investigationResult", + "width": "auto" + }, + { + "field": "modelType", + "width": "auto" + }, + { + "field": "model", + "width": "auto" + }, + { + "field": "message", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 6, + "width": 12, + "height": 25, + "is_column_break": true + } + }, + { + "id": 8315892998152908, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "pink", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6111481529370340, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates Workbench Alert logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "pink", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 3615505781531662, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:critical $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 4221628299028734, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:high $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 6037760580850864, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:critical $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 2765011665025946, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:medium $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5098768218681716, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:low $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 5366845962825944, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:info $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 1594813636767484, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:high $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 3461316408988100, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trend-micro-vision-one-xdr service:alerts status:medium $Alert-ID $Status $Incident-ID $Entity-Type" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 10 + } + } + ], + "template_variables": [ + { + "name": "Alert-ID", + "prefix": "@id", + "available_values": [], + "default": "*" + }, + { + "name": "Status", + "prefix": "@status", + "available_values": [], + "default": "*" + }, + { + "name": "Incident-ID", + "prefix": "@incidentId", + "available_values": [], + "default": "*" + }, + { + "name": "Entity-Type", + "prefix": "@impactScope.entities.entityType", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/trend_micro_vision_one_xdr/assets/logs/trend-micro-vision-one-xdr.yaml b/trend_micro_vision_one_xdr/assets/logs/trend-micro-vision-one-xdr.yaml new file mode 100644 index 0000000000000..b50e8eb0df708 --- /dev/null +++ b/trend_micro_vision_one_xdr/assets/logs/trend-micro-vision-one-xdr.yaml @@ -0,0 +1,253 @@ +id: trend-micro-vision-one-xdr +metric_id: trend-micro-vision-one-xdr +backend_only: false +facets: + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Email + path: usr.email + source: log + - groups: + - User + name: User ID + path: usr.id + source: log + - groups: + - User + name: User Name + path: usr.name + source: log + - facetType: range + groups: + - Trend Micro Vision One XDR + name: Impact Score + path: trend_micro_vision_one_xdr.score + source: log + type: double +pipeline: + type: pipeline + name: Trend Micro Vision One XDR + enabled: true + filter: + query: "source:trend-micro-vision-one-xdr" + processors: + - type: date-remapper + name: "Define `updatedDateTime`, `detectedDateTime` as the official date of the log" + enabled: true + sources: + - updatedDateTime + - detectedDateTime + - type: pipeline + name: Alerts + enabled: true + filter: + query: "service:alerts " + processors: + - type: attribute-remapper + name: Map `score` to `trend_micro_vision_one_xdr.score` + enabled: true + sources: + - score + sourceType: attribute + target: trend_micro_vision_one_xdr.score + targetType: attribute + preserveSource: false + overrideOnConflict: false + - name: Lookup on `severity` to `alert_severity` Field + enabled: true + source: severity + target: alert_severity + lookupTable: |- + critical,Critical + high,Warning + medium,Notice + low,Info + type: lookup-processor + - type: status-remapper + name: Define `alert_severity` as the official status of the log + enabled: true + sources: + - alert_severity + - type: message-remapper + name: Define `description` as the official message of the log + enabled: true + sources: + - description + - type: pipeline + name: Observed Attack Techniques + enabled: true + filter: + query: "service:observed-attack-techniques" + processors: + - type: attribute-remapper + name: Map `detail.userDisplayName` to `usr.name` + enabled: true + sources: + - detail.userDisplayName + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `detail.userId` to `usr.id` + enabled: true + sources: + - detail.userId + sourceType: attribute + target: usr.id + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `detail.src`, `detail.sourceIPAddress`, `detail.mailSenderIp`, + `detail.ipAddress` to `network.client.ip` + enabled: true + sources: + - detail.src + - detail.sourceIPAddress + - detail.mailSenderIp + - detail.ipAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `detail.spt` to `network.client.port` + enabled: true + sources: + - detail.spt + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `detail.dst` to `network.destination.ip` + enabled: true + sources: + - detail.dst + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `detail.dpt` to `network.destination.port` + enabled: true + sources: + - detail.dpt + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `detail.mailToAddresses` to `usr.email` + enabled: true + sources: + - detail.mailToAddresses + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: geo-ip-parser + name: Extracting geolocation information from the client IP + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - name: Lookup on `detail.filterRiskLevel` to `oat_event_severity` Field + enabled: true + source: detail.filterRiskLevel + target: oat_event_severity + lookupTable: |- + critical,Critical + high,Warning + medium,Notice + low,Info + info,Debug + type: lookup-processor + - name: Lookup on `detail.eventId` to `event_type` + enabled: true + source: detail.eventId + target: event_type + lookupTable: |- + 1,EVENT_PROCESS + 2,EVENT_FILE + 3,EVENT_CONNECTIO + 4,EVENT_DNS + 5,EVENT_REGISTRY + 6,EVENT_ACCOUNT + 7,EVENT_INTERNET + 8,XDR_EVENT_MODIFIED_PROCESS + 9,EVENT_WINDOWS_HOOK + 10,EVENT_WINDOWS_EVENT + 11,EVENT_AMSI + 12,EVENT_WMI + 13,TELEMETRY_MEMORY + 14,TELEMETRY_BM + type: lookup-processor + - type: status-remapper + name: Define `oat_event_severity` as the official status of the log + enabled: true + sources: + - oat_event_severity diff --git a/trend_micro_vision_one_xdr/assets/logs/trend-micro-vision-one-xdr_tests.yaml b/trend_micro_vision_one_xdr/assets/logs/trend-micro-vision-one-xdr_tests.yaml new file mode 100644 index 0000000000000..75d17733ca5da --- /dev/null +++ b/trend_micro_vision_one_xdr/assets/logs/trend-micro-vision-one-xdr_tests.yaml @@ -0,0 +1,1470 @@ +id: trend-micro-vision-one-xdr +tests: + - + sample: |- + { + "investigationStatus" : "New", + "severity" : "low", + "schemaVersion" : "1.15", + "matchedRules" : [ { + "name" : "Predictive Machine Learning Detection - Blocked", + "id" : "b52ebb2a-b7b0-4521-b0c9-1a04715c9871", + "matchedFilters" : [ { + "matchedDateTime" : "2024-07-30T06:24:52.000Z", + "name" : "Predictive Machine Learning Detection - Blocked", + "id" : "15d9a461-14c4-444b-9d17-7b258894b816", + "matchedEvents" : [ { + "matchedDateTime" : "2024-07-30T06:24:52.000Z", + "type" : "PRODUCT_EVENT_LOG", + "uuid" : "966495ba-1cde-491b-a62c-fd62f4ebb80b" + } ] + } ] + } ], + "workbenchLink" : "https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-12773-20240730-00015", + "modelId" : "5727ebf9-9e6a-47f3-b27f-4129763f7688", + "createdDateTime" : "2024-07-30T07:18:33Z", + "description" : "An unknown threat was detected on an endpoint and blocked by Trend Micro Predictive Machine Learning.", + "investigationResult" : "No Findings", + "alertProvider" : "SAE", + "modelType" : "preset", + "indicators" : [ { + "provenance" : [ "Alert" ], + "field" : "detectionName", + "filterIds" : [ "15d9a461-14c4-444b-9d17-7b258894b816" ], + "id" : 1, + "type" : "detection_name", + "relatedEntities" : [ "B159820E-5BB3-49F2-AD98-75A4F2052282" ], + "value" : "TROJ.Win32.TRX.XXPE50FLM011" + }, { + "provenance" : [ "Alert" ], + "field" : "fileHash", + "filterIds" : [ "15d9a461-14c4-444b-9d17-7b258894b816" ], + "id" : 2, + "type" : "file_sha1", + "relatedEntities" : [ "B159820E-5BB3-49F2-AD98-75A4F2052282" ], + "value" : "609A2BB1984FF9DBBFDBC8A88E1A57FC7691E6E6" + }, { + "provenance" : [ "Alert" ], + "field" : "fileName", + "filterIds" : [ "15d9a461-14c4-444b-9d17-7b258894b816" ], + "id" : 3, + "type" : "filename", + "relatedEntities" : [ "B159820E-5BB3-49F2-AD98-75A4F2052282" ], + "value" : "inv.exe" + }, { + "provenance" : [ "Alert" ], + "field" : "fullPath", + "filterIds" : [ "15d9a461-14c4-444b-9d17-7b258894b816" ], + "id" : 4, + "type" : "fullpath", + "relatedEntities" : [ "B159820E-5BB3-49F2-AD98-75A4F2052282" ], + "value" : "full\\path" + }, { + "provenance" : [ "Alert" ], + "field" : "actResult", + "filterIds" : [ "15d9a461-14c4-444b-9d17-7b258894b816" ], + "id" : 5, + "type" : "text", + "relatedEntities" : [ "B159820E-5BB3-49F2-AD98-75A4F2052282" ], + "value" : "Quarantine successfully" + }, { + "provenance" : [ "Alert" ], + "field" : "processUser", + "filterIds" : [ "15d9a461-14c4-444b-9d17-7b258894b816" ], + "id" : 6, + "type" : "user_account", + "relatedEntities" : [ "B159820E-5BB3-49F2-AD98-75A4F2052282" ], + "value" : "Crest" + } ], + "updatedDateTime" : "2024-07-30T07:18:38Z", + "score" : 20, + "model" : "Unknown Threat Detection and Mitigation via Predictive Machine Learning", + "id" : "WB-12773-20240730-00015", + "incidentId" : "IC-12773-20240730-00000", + "impactScope" : { + "serverCount" : 0, + "accountCount" : 0, + "desktopCount" : 1, + "entities" : [ { + "entityValue" : { + "name" : "assettag-eid", + "guid" : "B159820E-5BB3-49F2-AD98-75A4F2046547", + "ips" : [ "10.10.10.10" ] + }, + "provenance" : [ "Alert" ], + "managementScopeGroupId" : "de4f892d-d1ed-450f-a8c1-4d838768f054", + "entityType" : "host", + "entityId" : "B159820E-5BB3-49F2-AD98-75A4F2046547", + "relatedIndicatorIds" : [ 1, 2, 3, 4, 5, 6 ] + } ], + "emailAddressCount" : 0, + "cloudIdentityCount" : 0, + "containerCount" : 0 + }, + "status" : "Open" + } + service: "alerts" + result: + custom: + alertProvider: "SAE" + alert_severity: "Info" + createdDateTime: "2024-07-30T07:18:33Z" + id: "WB-12773-20240730-00015" + impactScope: + accountCount: 0 + cloudIdentityCount: 0 + containerCount: 0 + desktopCount: 1 + emailAddressCount: 0 + entities: + - + entityValue: + name: "assettag-eid" + guid: "B159820E-5BB3-49F2-AD98-75A4F2046547" + ips: + - "10.10.10.10" + provenance: + - "Alert" + managementScopeGroupId: "de4f892d-d1ed-450f-a8c1-4d838768f054" + entityType: "host" + entityId: "B159820E-5BB3-49F2-AD98-75A4F2046547" + relatedIndicatorIds: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + serverCount: 0 + incidentId: "IC-12773-20240730-00000" + indicators: + - + provenance: + - "Alert" + field: "detectionName" + filterIds: + - "15d9a461-14c4-444b-9d17-7b258894b816" + id: 1 + type: "detection_name" + relatedEntities: + - "B159820E-5BB3-49F2-AD98-75A4F2052282" + value: "TROJ.Win32.TRX.XXPE50FLM011" + - + provenance: + - "Alert" + field: "fileHash" + filterIds: + - "15d9a461-14c4-444b-9d17-7b258894b816" + id: 2 + type: "file_sha1" + relatedEntities: + - "B159820E-5BB3-49F2-AD98-75A4F2052282" + value: "609A2BB1984FF9DBBFDBC8A88E1A57FC7691E6E6" + - + provenance: + - "Alert" + field: "fileName" + filterIds: + - "15d9a461-14c4-444b-9d17-7b258894b816" + id: 3 + type: "filename" + relatedEntities: + - "B159820E-5BB3-49F2-AD98-75A4F2052282" + value: "inv.exe" + - + provenance: + - "Alert" + field: "fullPath" + filterIds: + - "15d9a461-14c4-444b-9d17-7b258894b816" + id: 4 + type: "fullpath" + relatedEntities: + - "B159820E-5BB3-49F2-AD98-75A4F2052282" + value: "full\\path" + - + provenance: + - "Alert" + field: "actResult" + filterIds: + - "15d9a461-14c4-444b-9d17-7b258894b816" + id: 5 + type: "text" + relatedEntities: + - "B159820E-5BB3-49F2-AD98-75A4F2052282" + value: "Quarantine successfully" + - + provenance: + - "Alert" + field: "processUser" + filterIds: + - "15d9a461-14c4-444b-9d17-7b258894b816" + id: 6 + type: "user_account" + relatedEntities: + - "B159820E-5BB3-49F2-AD98-75A4F2052282" + value: "Crest" + investigationResult: "No Findings" + investigationStatus: "New" + matchedRules: + - + name: "Predictive Machine Learning Detection - Blocked" + id: "b52ebb2a-b7b0-4521-b0c9-1a04715c9871" + matchedFilters: + - + matchedDateTime: "2024-07-30T06:24:52.000Z" + name: "Predictive Machine Learning Detection - Blocked" + id: "15d9a461-14c4-444b-9d17-7b258894b816" + matchedEvents: + - + matchedDateTime: "2024-07-30T06:24:52.000Z" + type: "PRODUCT_EVENT_LOG" + uuid: "966495ba-1cde-491b-a62c-fd62f4ebb80b" + model: "Unknown Threat Detection and Mitigation via Predictive Machine Learning" + modelId: "5727ebf9-9e6a-47f3-b27f-4129763f7688" + modelType: "preset" + schemaVersion: "1.15" + severity: "low" + status: "Open" + trend_micro_vision_one_xdr: + score: 20 + updatedDateTime: "2024-07-30T07:18:38Z" + workbenchLink: "https://portal.in.xdr.trendmicro.com/index.html#/workbench/alerts/WB-12773-20240730-00015" + message: "An unknown threat was detected on an endpoint and blocked by Trend Micro Predictive Machine Learning." + service: "alerts" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1722323918000 + - + sample: |- + { + "endpoint" : { + "agentGuid" : "801b7e5f-902e-4ebd-ad6a-c8f431fe6053", + "endpointName" : "DESKTOP-N19I543", + "ips" : [ "ab80::42jk:a793:2667:b585", "10.10.10.10" ] + }, + "detectedDateTime" : "2024-07-30T16:20:25Z", + "entityType" : "endpoint", + "entityName" : "DESKTOP-N19I543(ab80::42jk:a793:2667:b585,10.10.10.10)", + "source" : "endpointActivityData", + "filters" : [ { + "riskLevel" : "low", + "mitreTacticIds" : [ "TA0002", "TA0003", "TA0004" ], + "mitreTechniqueIds" : [ "T1053", "T1053.005" ], + "name" : "Creation of Scheduled Task", + "description" : "A scheduled task was created via command-line", + "id" : "F1507", + "highlightedObjects" : [ { + "field" : "objectCmd", + "type" : "command_line", + "value" : "SysWOW64\\schtasks.exe -create -tn Microsoft\\Windows\\WindowsUpdate\\RUXIM\\PLUGScheduler -xml plugscheduler.xml -F" + }, { + "field" : "processCmd", + "type" : "command_line", + "value" : "system32\\msiexec.exe /V" + } ], + "type" : "preset" + } ], + "detail" : { + "processFileHashSha256" : "d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb", + "processUserDomain" : "NT AUTHORITY", + "eventSubId" : 2, + "plang" : 1, + "pver" : "1.2.0.5259", + "objectSignerFlagsRuntime" : [ false ], + "processSignerFlagsLibValid" : [ false ], + "objectTrueType" : 7, + "processFileSize" : "69632", + "endpointHostName" : "DESKTOP-N19I543", + "objectSessionId" : "0", + "parentFilePath" : "System32\\services.exe", + "processLaunchTime" : "1722356422814", + "objectHashId" : "148323463451116793", + "eventSourceType" : 1, + "objectIntegrityLevel" : 16384, + "objectRunAsLocalAccount" : false, + "tags" : [ "MITRE.T1053.005", "XSAE.F1507", "MITRE.T1053" ], + "parentName" : "System32\\services.exe", + "lastSeen" : "1722356425050", + "parentSignerFlagsLibValid" : [ false ], + "objectUser" : "SYSTEM", + "objectFileCreation" : "1722282120740", + "osDescription" : "Windows 10 Pro (64 bit) build 19045", + "objectCmd" : "SysWOW64\\schtasks.exe -create -tn Microsoft\\Windows\\WindowsUpdate\\RUXIM\\PLUGScheduler -xml plugscheduler.xml -F", + "osVer" : "10.0.19045", + "processSigner" : [ "Microsoft Windows" ], + "parentCmd" : "system32\\services.exe", + "endpointMacAddress" : [ "00:0d:30:e4:8b:b6" ], + "parentFileCreation" : "1722281953380", + "processFileHashMd5" : "78912ea8790de51d2c7ceb9b8c572346", + "processCmd" : "system32\\msiexec.exe /V", + "processUserGroupSids" : [ "S-1-16-16384", "S-1-1-0", "S-1-5-32-545", "S-1-5-6", "S-1-2-1", "S-1-5-11", "S-1-5-15", "S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966", "S-1-5-5-0-36366980", "S-1-2-0", "S-1-5-32-544" ], + "parentSessionId" : 0, + "parentFileHashId" : "-4092577940452904134", + "sessionId" : 0, + "processFilePath" : "System32\\msiexec.exe", + "osName" : "Windows", + "productCode" : "xes", + "parentFileHashSha256" : "1efd9a81b2ddf21b3f327d67a6f8f88f814979e84085ec812af72450310d4281", + "processFileHashSha1" : "6a795b8a432514f20ff884f1a5286ea82e32e150", + "processTrueType" : 7, + "objectFileHashId" : "-370955917314104624", + "objectFileSize" : "187904", + "parentHashId" : "-5897584668177803063", + "parentSignerValid" : [ true ], + "uuid" : "65f9d8c7-33a9-41a3-a1a6-445376599211", + "parentUserDomain" : "NT AUTHORITY", + "eventHashId" : "-8250022594686035748", + "processSignerValid" : [ true ], + "parentFileModifiedTime" : "1722281953458", + "objectFileHashSha256" : "29f6fc1bb0e68cb4fc1ec597604ec5aca7fcef7d0d9241218596d941f04f16e7", + "processName" : "System32\\msiexec.exe", + "parentSignerFlagsAdhoc" : [ false ], + "parentAuthId" : "999", + "objectFileHashMd5" : "db6f48dc66879299b49ee3f1df0607f1", + "filterRiskLevel" : "low", + "eventId" : "1", + "firstSeen" : "1722356425050", + "objectFilePath" : "SysWOW64\\schtasks.exe", + "pname" : "751", + "parentLaunchTime" : "1722285790679", + "parentFileHashMd5" : "4eacbe64bb1e7d58e8a26340ed1c7cbd", + "processSignerFlagsAdhoc" : [ false ], + "objectSigner" : [ "Microsoft Windows" ], + "processPid" : 408, + "parentSigner" : [ "Microsoft Windows Publisher" ], + "objectSignerFlagsLibValid" : [ false ], + "integrityLevel" : 16384, + "processFileModifiedTime" : "1722282337774", + "objectFileHashSha1" : "5673be4c0b3d6c963651ec1e4adb7aaabadf5a19", + "pplat" : 5889, + "parentSignerFlagsRuntime" : [ false ], + "parentIntegrityLevel" : 16384, + "processSignerFlagsRuntime" : [ false ], + "objectLaunchTime" : "1722356425049", + "objectUserGroupSids" : [ "S-1-16-16384", "S-1-1-0", "S-1-5-32-545", "S-1-5-6", "S-1-2-1", "S-1-5-11", "S-1-5-15", "S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966", "S-1-5-5-0-36366980", "S-1-2-0", "S-1-5-32-544" ], + "timezone" : "UTC+05:30", + "processUser" : "SYSTEM", + "logReceivedTime" : "1722356504612", + "objectSignerFlagsAdhoc" : [ false ], + "authId" : "999", + "osType" : "0x00000030", + "processFileCreation" : "1722282337759", + "objectUserDomain" : "NT AUTHORITY", + "processHashId" : "7052107378290747991", + "parentPid" : 688, + "endpointIp" : [ "ab80::42jk:a793:2667:b585", "10.10.10.10" ], + "objectSignerValid" : [ true ], + "parentTrueType" : 7, + "parentFileSize" : "716544", + "parentFileHashSha1" : "6703d48349de8c836c0eaffac5cfac7679da7f60", + "objectAuthId" : "999", + "endpointGuid" : "801b7e5f-902e-4ebd-ad6a-c8f431fe6053", + "objectName" : "SysWOW64\\schtasks.exe", + "processFileHashId" : "-5659244633155638992", + "objectPid" : 6292, + "parentUser" : "SYSTEM", + "objectFileModifiedTime" : "1722282120756" + }, + "ingestedDateTime" : "2024-07-30T16:22:16Z", + "uuid" : "65f9d8c7-33a9-41a3-a1a6-445376599211" + } + service: "observed-attack-techniques" + result: + custom: + detail: + authId: "999" + endpointGuid: "801b7e5f-902e-4ebd-ad6a-c8f431fe6053" + endpointHostName: "DESKTOP-N19I543" + endpointIp: + - "ab80::42jk:a793:2667:b585" + - "10.10.10.10" + endpointMacAddress: + - "00:0d:30:e4:8b:b6" + eventHashId: "-8250022594686035748" + eventId: "1" + eventSourceType: 1 + eventSubId: 2 + filterRiskLevel: "low" + firstSeen: "1722356425050" + integrityLevel: 16384 + lastSeen: "1722356425050" + logReceivedTime: "1722356504612" + objectAuthId: "999" + objectCmd: "SysWOW64\\schtasks.exe -create -tn Microsoft\\Windows\\WindowsUpdate\\RUXIM\\PLUGScheduler -xml plugscheduler.xml -F" + objectFileCreation: "1722282120740" + objectFileHashId: "-370955917314104624" + objectFileHashMd5: "db6f48dc66879299b49ee3f1df0607f1" + objectFileHashSha1: "5673be4c0b3d6c963651ec1e4adb7aaabadf5a19" + objectFileHashSha256: "29f6fc1bb0e68cb4fc1ec597604ec5aca7fcef7d0d9241218596d941f04f16e7" + objectFileModifiedTime: "1722282120756" + objectFilePath: "SysWOW64\\schtasks.exe" + objectFileSize: "187904" + objectHashId: "148323463451116793" + objectIntegrityLevel: 16384 + objectLaunchTime: "1722356425049" + objectName: "SysWOW64\\schtasks.exe" + objectPid: 6292 + objectRunAsLocalAccount: false + objectSessionId: "0" + objectSigner: + - "Microsoft Windows" + objectSignerFlagsAdhoc: + - false + objectSignerFlagsLibValid: + - false + objectSignerFlagsRuntime: + - false + objectSignerValid: + - true + objectTrueType: 7 + objectUser: "SYSTEM" + objectUserDomain: "NT AUTHORITY" + objectUserGroupSids: + - "S-1-16-16384" + - "S-1-1-0" + - "S-1-5-32-545" + - "S-1-5-6" + - "S-1-2-1" + - "S-1-5-11" + - "S-1-5-15" + - "S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966" + - "S-1-5-5-0-36366980" + - "S-1-2-0" + - "S-1-5-32-544" + osDescription: "Windows 10 Pro (64 bit) build 19045" + osName: "Windows" + osType: "0x00000030" + osVer: "10.0.19045" + parentAuthId: "999" + parentCmd: "system32\\services.exe" + parentFileCreation: "1722281953380" + parentFileHashId: "-4092577940452904134" + parentFileHashMd5: "4eacbe64bb1e7d58e8a26340ed1c7cbd" + parentFileHashSha1: "6703d48349de8c836c0eaffac5cfac7679da7f60" + parentFileHashSha256: "1efd9a81b2ddf21b3f327d67a6f8f88f814979e84085ec812af72450310d4281" + parentFileModifiedTime: "1722281953458" + parentFilePath: "System32\\services.exe" + parentFileSize: "716544" + parentHashId: "-5897584668177803063" + parentIntegrityLevel: 16384 + parentLaunchTime: "1722285790679" + parentName: "System32\\services.exe" + parentPid: 688 + parentSessionId: 0 + parentSigner: + - "Microsoft Windows Publisher" + parentSignerFlagsAdhoc: + - false + parentSignerFlagsLibValid: + - false + parentSignerFlagsRuntime: + - false + parentSignerValid: + - true + parentTrueType: 7 + parentUser: "SYSTEM" + parentUserDomain: "NT AUTHORITY" + plang: 1 + pname: "751" + pplat: 5889 + processCmd: "system32\\msiexec.exe /V" + processFileCreation: "1722282337759" + processFileHashId: "-5659244633155638992" + processFileHashMd5: "78912ea8790de51d2c7ceb9b8c572346" + processFileHashSha1: "6a795b8a432514f20ff884f1a5286ea82e32e150" + processFileHashSha256: "d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb" + processFileModifiedTime: "1722282337774" + processFilePath: "System32\\msiexec.exe" + processFileSize: "69632" + processHashId: "7052107378290747991" + processLaunchTime: "1722356422814" + processName: "System32\\msiexec.exe" + processPid: 408 + processSigner: + - "Microsoft Windows" + processSignerFlagsAdhoc: + - false + processSignerFlagsLibValid: + - false + processSignerFlagsRuntime: + - false + processSignerValid: + - true + processTrueType: 7 + processUser: "SYSTEM" + processUserDomain: "NT AUTHORITY" + processUserGroupSids: + - "S-1-16-16384" + - "S-1-1-0" + - "S-1-5-32-545" + - "S-1-5-6" + - "S-1-2-1" + - "S-1-5-11" + - "S-1-5-15" + - "S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966" + - "S-1-5-5-0-36366980" + - "S-1-2-0" + - "S-1-5-32-544" + productCode: "xes" + pver: "1.2.0.5259" + sessionId: 0 + tags: + - "MITRE.T1053.005" + - "XSAE.F1507" + - "MITRE.T1053" + timezone: "UTC+05:30" + uuid: "65f9d8c7-33a9-41a3-a1a6-445376599211" + detectedDateTime: "2024-07-30T16:20:25Z" + endpoint: + agentGuid: "801b7e5f-902e-4ebd-ad6a-c8f431fe6053" + endpointName: "DESKTOP-N19I543" + ips: + - "ab80::42jk:a793:2667:b585" + - "10.10.10.10" + entityName: "DESKTOP-N19I543(ab80::42jk:a793:2667:b585,10.10.10.10)" + entityType: "endpoint" + event_type: "EVENT_PROCESS" + filters: + - + riskLevel: "low" + mitreTacticIds: + - "TA0002" + - "TA0003" + - "TA0004" + mitreTechniqueIds: + - "T1053" + - "T1053.005" + name: "Creation of Scheduled Task" + description: "A scheduled task was created via command-line" + id: "F1507" + highlightedObjects: + - + field: "objectCmd" + type: "command_line" + value: "SysWOW64\\schtasks.exe -create -tn Microsoft\\Windows\\WindowsUpdate\\RUXIM\\PLUGScheduler -xml plugscheduler.xml -F" + - + field: "processCmd" + type: "command_line" + value: "system32\\msiexec.exe /V" + type: "preset" + ingestedDateTime: "2024-07-30T16:22:16Z" + oat_event_severity: "Info" + source: "endpointActivityData" + uuid: "65f9d8c7-33a9-41a3-a1a6-445376599211" + message: |- + { + "endpoint" : { + "agentGuid" : "801b7e5f-902e-4ebd-ad6a-c8f431fe6053", + "endpointName" : "DESKTOP-N19I543", + "ips" : [ "ab80::42jk:a793:2667:b585", "10.10.10.10" ] + }, + "detectedDateTime" : "2024-07-30T16:20:25Z", + "entityType" : "endpoint", + "entityName" : "DESKTOP-N19I543(ab80::42jk:a793:2667:b585,10.10.10.10)", + "source" : "endpointActivityData", + "filters" : [ { + "riskLevel" : "low", + "mitreTacticIds" : [ "TA0002", "TA0003", "TA0004" ], + "mitreTechniqueIds" : [ "T1053", "T1053.005" ], + "name" : "Creation of Scheduled Task", + "description" : "A scheduled task was created via command-line", + "id" : "F1507", + "highlightedObjects" : [ { + "field" : "objectCmd", + "type" : "command_line", + "value" : "SysWOW64\\schtasks.exe -create -tn Microsoft\\Windows\\WindowsUpdate\\RUXIM\\PLUGScheduler -xml plugscheduler.xml -F" + }, { + "field" : "processCmd", + "type" : "command_line", + "value" : "system32\\msiexec.exe /V" + } ], + "type" : "preset" + } ], + "detail" : { + "processFileHashSha256" : "d53e90af814f61e09bff87a883a3b0dcb7dcf883f17a2425a62a2d4b5a9407fb", + "processUserDomain" : "NT AUTHORITY", + "eventSubId" : 2, + "plang" : 1, + "pver" : "1.2.0.5259", + "objectSignerFlagsRuntime" : [ false ], + "processSignerFlagsLibValid" : [ false ], + "objectTrueType" : 7, + "processFileSize" : "69632", + "endpointHostName" : "DESKTOP-N19I543", + "objectSessionId" : "0", + "parentFilePath" : "System32\\services.exe", + "processLaunchTime" : "1722356422814", + "objectHashId" : "148323463451116793", + "eventSourceType" : 1, + "objectIntegrityLevel" : 16384, + "objectRunAsLocalAccount" : false, + "tags" : [ "MITRE.T1053.005", "XSAE.F1507", "MITRE.T1053" ], + "parentName" : "System32\\services.exe", + "lastSeen" : "1722356425050", + "parentSignerFlagsLibValid" : [ false ], + "objectUser" : "SYSTEM", + "objectFileCreation" : "1722282120740", + "osDescription" : "Windows 10 Pro (64 bit) build 19045", + "objectCmd" : "SysWOW64\\schtasks.exe -create -tn Microsoft\\Windows\\WindowsUpdate\\RUXIM\\PLUGScheduler -xml plugscheduler.xml -F", + "osVer" : "10.0.19045", + "processSigner" : [ "Microsoft Windows" ], + "parentCmd" : "system32\\services.exe", + "endpointMacAddress" : [ "00:0d:30:e4:8b:b6" ], + "parentFileCreation" : "1722281953380", + "processFileHashMd5" : "78912ea8790de51d2c7ceb9b8c572346", + "processCmd" : "system32\\msiexec.exe /V", + "processUserGroupSids" : [ "S-1-16-16384", "S-1-1-0", "S-1-5-32-545", "S-1-5-6", "S-1-2-1", "S-1-5-11", "S-1-5-15", "S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966", "S-1-5-5-0-36366980", "S-1-2-0", "S-1-5-32-544" ], + "parentSessionId" : 0, + "parentFileHashId" : "-4092577940452904134", + "sessionId" : 0, + "processFilePath" : "System32\\msiexec.exe", + "osName" : "Windows", + "productCode" : "xes", + "parentFileHashSha256" : "1efd9a81b2ddf21b3f327d67a6f8f88f814979e84085ec812af72450310d4281", + "processFileHashSha1" : "6a795b8a432514f20ff884f1a5286ea82e32e150", + "processTrueType" : 7, + "objectFileHashId" : "-370955917314104624", + "objectFileSize" : "187904", + "parentHashId" : "-5897584668177803063", + "parentSignerValid" : [ true ], + "uuid" : "65f9d8c7-33a9-41a3-a1a6-445376599211", + "parentUserDomain" : "NT AUTHORITY", + "eventHashId" : "-8250022594686035748", + "processSignerValid" : [ true ], + "parentFileModifiedTime" : "1722281953458", + "objectFileHashSha256" : "29f6fc1bb0e68cb4fc1ec597604ec5aca7fcef7d0d9241218596d941f04f16e7", + "processName" : "System32\\msiexec.exe", + "parentSignerFlagsAdhoc" : [ false ], + "parentAuthId" : "999", + "objectFileHashMd5" : "db6f48dc66879299b49ee3f1df0607f1", + "filterRiskLevel" : "low", + "eventId" : "1", + "firstSeen" : "1722356425050", + "objectFilePath" : "SysWOW64\\schtasks.exe", + "pname" : "751", + "parentLaunchTime" : "1722285790679", + "parentFileHashMd5" : "4eacbe64bb1e7d58e8a26340ed1c7cbd", + "processSignerFlagsAdhoc" : [ false ], + "objectSigner" : [ "Microsoft Windows" ], + "processPid" : 408, + "parentSigner" : [ "Microsoft Windows Publisher" ], + "objectSignerFlagsLibValid" : [ false ], + "integrityLevel" : 16384, + "processFileModifiedTime" : "1722282337774", + "objectFileHashSha1" : "5673be4c0b3d6c963651ec1e4adb7aaabadf5a19", + "pplat" : 5889, + "parentSignerFlagsRuntime" : [ false ], + "parentIntegrityLevel" : 16384, + "processSignerFlagsRuntime" : [ false ], + "objectLaunchTime" : "1722356425049", + "objectUserGroupSids" : [ "S-1-16-16384", "S-1-1-0", "S-1-5-32-545", "S-1-5-6", "S-1-2-1", "S-1-5-11", "S-1-5-15", "S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966", "S-1-5-5-0-36366980", "S-1-2-0", "S-1-5-32-544" ], + "timezone" : "UTC+05:30", + "processUser" : "SYSTEM", + "logReceivedTime" : "1722356504612", + "objectSignerFlagsAdhoc" : [ false ], + "authId" : "999", + "osType" : "0x00000030", + "processFileCreation" : "1722282337759", + "objectUserDomain" : "NT AUTHORITY", + "processHashId" : "7052107378290747991", + "parentPid" : 688, + "endpointIp" : [ "ab80::42jk:a793:2667:b585", "10.10.10.10" ], + "objectSignerValid" : [ true ], + "parentTrueType" : 7, + "parentFileSize" : "716544", + "parentFileHashSha1" : "6703d48349de8c836c0eaffac5cfac7679da7f60", + "objectAuthId" : "999", + "endpointGuid" : "801b7e5f-902e-4ebd-ad6a-c8f431fe6053", + "objectName" : "SysWOW64\\schtasks.exe", + "processFileHashId" : "-5659244633155638992", + "objectPid" : 6292, + "parentUser" : "SYSTEM", + "objectFileModifiedTime" : "1722282120756" + }, + "ingestedDateTime" : "2024-07-30T16:22:16Z", + "uuid" : "65f9d8c7-33a9-41a3-a1a6-445376599211" + } + service: "observed-attack-techniques" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1722356425000 + - + sample: |- + { + "endpoint" : { + "agentGuid" : "b159820e-5bb3-49f2-ad98-75a4f2052282", + "endpointName" : "ASSETTAG-EID", + "ips" : [ "10.10.10.10" ] + }, + "detectedDateTime" : "2024-07-31T05:00:44Z", + "entityType" : "endpoint", + "entityName" : "ASSETTAG-EID(10.10.10.10)", + "source" : "identityActivityData", + "filters" : [ { + "riskLevel" : "medium", + "mitreTacticIds" : [ "TA0002" ], + "mitreTechniqueIds" : [ "T1204.002" ], + "name" : "Malicious Software", + "description" : "A malicious software was detected on an endpoint.", + "id" : "F2140", + "highlightedObjects" : [ { + "field" : "fileHash", + "type" : "file_sha1", + "value" : "527a3b861f37d16d356250f9e9bad4c43a850ebf" + }, { + "field" : "fileName", + "type" : "filename", + "value" : [ "Unconfirmed 667870.crdownload" ] + }, { + "field" : "fullPath", + "type" : "fullpath", + "value" : "\\Downloads\\Unconfirmed 667870.crdownload" + }, { + "field" : "malName", + "type" : "detection_name", + "value" : "TROJ_GEN.R03BC0PG624" + }, { + "field" : "actResult", + "type" : "text", + "value" : [ "Encrypted" ] + }, { + "field" : "scanType", + "type" : "text", + "value" : "Real-time Scan" + }, { + "field" : "endpointIp", + "type" : "ip", + "value" : [ "10.10.10.10" ] + } ], + "type" : "preset" + } ], + "detail" : { + "idpName" : "GTPL", + "eventCategory" : "Media and Entertainment", + "groupId" : "3g35av3545", + "eventAdditionalDetails" : "This is test sentence.", + "statusDetail" : "Log In", + "uuid" : "31f42842-e527-443a-bb9d-1918c0f65342", + "statusReason" : "Logged In", + "initiatedByServicePrincipalId" : "234eer345", + "locationCountry" : "Sweden", + "initiatedByAppDisplayName" : "Outlook", + "bitwiseFilterRiskLevel" : 2, + "locationLongitude" : "59.3293", + "eventName" : "The Detected Malware Scan", + "loggedByService" : "Microfost", + "filterRiskLevel" : "medium", + "locationState" : "Gotland", + "targetResources" : "Outlook Application.", + "eventId" : "214sf3445", + "initiatedByUserId" : "3424455d345", + "pname" : "2345wwy48", + "ipAddress" : "10.10.10.10", + "initiatedByUserPrincipalName" : "FIGI-ED", + "eventSourceType" : 3, + "version" : "2.1", + "tenantGuid" : "322434d344qd341", + "tags" : [ "1", "2" ], + "targetResourceDisplayName" : "Facetime", + "mgmtInstanceId" : "dsa92j2424e", + "targetResourceId" : "23e2t42w34", + "clientDisplayName" : "Microfost", + "operationType" : "Scanning", + "locationCity" : "Stockholm", + "status" : "Open", + "actionName" : "Sign Out", + "idpId" : "2", + "requestMethod" : "2 Way Authentication", + "clientOS" : "Windows 11", + "initiatedByAppId" : "33245", + "tmFilterRiskLevel" : "High", + "result" : "Fail", + "clientBrowser" : "Google Chrome", + "partitionKey" : "34787654324567890987", + "customFilterTags" : "scan", + "initiatedByUserDisplayName" : "John", + "clientApp" : "Outlook", + "initiatedByUserHomeTenantName" : "Hugh", + "resultReason" : "Malware Found.", + "customerId" : "191648c0f65342", + "packageTraceId" : "3e4rr245", + "correlationId" : "234r34r542w13", + "initiatedByUserIpAddress" : "10.10.10.10", + "clientId" : "de249o34", + "locationLatitude" : "18.0686", + "userDisplayName" : "Jordan", + "userAgent" : "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41", + "userId" : "23fd34w4", + "initiatedByUserHomeTenantId" : "3245de344", + "productCode" : "aad", + "customFilterRiskLevel" : "High", + "receivedTime" : "2024-07-31T07:01:44Z", + "initiatedByServicePrincipalName" : "ETTES-ER", + "policyTreePath" : "C:\\desktop\\malware.sys" + }, + "ingestedDateTime" : "2024-07-31T05:00:49Z", + "uuid" : "31f42842-e527-443a-bb9d-1918c0f65342" + } + service: "observed-attack-techniques" + result: + custom: + detail: + actionName: "Sign Out" + bitwiseFilterRiskLevel: 2 + clientApp: "Outlook" + clientBrowser: "Google Chrome" + clientDisplayName: "Microfost" + clientId: "de249o34" + clientOS: "Windows 11" + correlationId: "234r34r542w13" + customFilterRiskLevel: "High" + customFilterTags: "scan" + customerId: "191648c0f65342" + eventAdditionalDetails: "This is test sentence." + eventCategory: "Media and Entertainment" + eventId: "214sf3445" + eventName: "The Detected Malware Scan" + eventSourceType: 3 + filterRiskLevel: "medium" + groupId: "3g35av3545" + idpId: "2" + idpName: "GTPL" + initiatedByAppDisplayName: "Outlook" + initiatedByAppId: "33245" + initiatedByServicePrincipalId: "234eer345" + initiatedByServicePrincipalName: "ETTES-ER" + initiatedByUserDisplayName: "John" + initiatedByUserHomeTenantId: "3245de344" + initiatedByUserHomeTenantName: "Hugh" + initiatedByUserId: "3424455d345" + initiatedByUserIpAddress: "10.10.10.10" + initiatedByUserPrincipalName: "FIGI-ED" + locationCity: "Stockholm" + locationCountry: "Sweden" + locationLatitude: "18.0686" + locationLongitude: "59.3293" + locationState: "Gotland" + loggedByService: "Microfost" + mgmtInstanceId: "dsa92j2424e" + operationType: "Scanning" + packageTraceId: "3e4rr245" + partitionKey: "34787654324567890987" + pname: "2345wwy48" + policyTreePath: "C:\\desktop\\malware.sys" + productCode: "aad" + receivedTime: "2024-07-31T07:01:44Z" + requestMethod: "2 Way Authentication" + result: "Fail" + resultReason: "Malware Found." + status: "Open" + statusDetail: "Log In" + statusReason: "Logged In" + tags: + - "1" + - "2" + targetResourceDisplayName: "Facetime" + targetResourceId: "23e2t42w34" + targetResources: "Outlook Application." + tenantGuid: "322434d344qd341" + tmFilterRiskLevel: "High" + userAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41" + uuid: "31f42842-e527-443a-bb9d-1918c0f65342" + version: "2.1" + detectedDateTime: "2024-07-31T05:00:44Z" + endpoint: + agentGuid: "b159820e-5bb3-49f2-ad98-75a4f2052282" + endpointName: "ASSETTAG-EID" + ips: + - "10.10.10.10" + entityName: "ASSETTAG-EID(10.10.10.10)" + entityType: "endpoint" + filters: + - + riskLevel: "medium" + mitreTacticIds: + - "TA0002" + mitreTechniqueIds: + - "T1204.002" + name: "Malicious Software" + description: "A malicious software was detected on an endpoint." + id: "F2140" + highlightedObjects: + - + field: "fileHash" + type: "file_sha1" + value: "527a3b861f37d16d356250f9e9bad4c43a850ebf" + - + field: "fileName" + type: "filename" + value: + - "Unconfirmed 667870.crdownload" + - + field: "fullPath" + type: "fullpath" + value: "\\Downloads\\Unconfirmed 667870.crdownload" + - + field: "malName" + type: "detection_name" + value: "TROJ_GEN.R03BC0PG624" + - + field: "actResult" + type: "text" + value: + - "Encrypted" + - + field: "scanType" + type: "text" + value: "Real-time Scan" + - + field: "endpointIp" + type: "ip" + value: + - "10.10.10.10" + type: "preset" + ingestedDateTime: "2024-07-31T05:00:49Z" + network: + client: + geoip: {} + ip: "10.10.10.10" + oat_event_severity: "Notice" + source: "identityActivityData" + usr: + id: "23fd34w4" + name: "Jordan" + uuid: "31f42842-e527-443a-bb9d-1918c0f65342" + message: |- + { + "endpoint" : { + "agentGuid" : "b159820e-5bb3-49f2-ad98-75a4f2052282", + "endpointName" : "ASSETTAG-EID", + "ips" : [ "10.10.10.10" ] + }, + "detectedDateTime" : "2024-07-31T05:00:44Z", + "entityType" : "endpoint", + "entityName" : "ASSETTAG-EID(10.10.10.10)", + "source" : "identityActivityData", + "filters" : [ { + "riskLevel" : "medium", + "mitreTacticIds" : [ "TA0002" ], + "mitreTechniqueIds" : [ "T1204.002" ], + "name" : "Malicious Software", + "description" : "A malicious software was detected on an endpoint.", + "id" : "F2140", + "highlightedObjects" : [ { + "field" : "fileHash", + "type" : "file_sha1", + "value" : "527a3b861f37d16d356250f9e9bad4c43a850ebf" + }, { + "field" : "fileName", + "type" : "filename", + "value" : [ "Unconfirmed 667870.crdownload" ] + }, { + "field" : "fullPath", + "type" : "fullpath", + "value" : "\\Downloads\\Unconfirmed 667870.crdownload" + }, { + "field" : "malName", + "type" : "detection_name", + "value" : "TROJ_GEN.R03BC0PG624" + }, { + "field" : "actResult", + "type" : "text", + "value" : [ "Encrypted" ] + }, { + "field" : "scanType", + "type" : "text", + "value" : "Real-time Scan" + }, { + "field" : "endpointIp", + "type" : "ip", + "value" : [ "10.10.10.10" ] + } ], + "type" : "preset" + } ], + "detail" : { + "idpName" : "GTPL", + "eventCategory" : "Media and Entertainment", + "groupId" : "3g35av3545", + "eventAdditionalDetails" : "This is test sentence.", + "statusDetail" : "Log In", + "uuid" : "31f42842-e527-443a-bb9d-1918c0f65342", + "statusReason" : "Logged In", + "initiatedByServicePrincipalId" : "234eer345", + "locationCountry" : "Sweden", + "initiatedByAppDisplayName" : "Outlook", + "bitwiseFilterRiskLevel" : 2, + "locationLongitude" : "59.3293", + "eventName" : "The Detected Malware Scan", + "loggedByService" : "Microfost", + "filterRiskLevel" : "medium", + "locationState" : "Gotland", + "targetResources" : "Outlook Application.", + "eventId" : "214sf3445", + "initiatedByUserId" : "3424455d345", + "pname" : "2345wwy48", + "ipAddress" : "10.10.10.10", + "initiatedByUserPrincipalName" : "FIGI-ED", + "eventSourceType" : 3, + "version" : "2.1", + "tenantGuid" : "322434d344qd341", + "tags" : [ "1", "2" ], + "targetResourceDisplayName" : "Facetime", + "mgmtInstanceId" : "dsa92j2424e", + "targetResourceId" : "23e2t42w34", + "clientDisplayName" : "Microfost", + "operationType" : "Scanning", + "locationCity" : "Stockholm", + "status" : "Open", + "actionName" : "Sign Out", + "idpId" : "2", + "requestMethod" : "2 Way Authentication", + "clientOS" : "Windows 11", + "initiatedByAppId" : "33245", + "tmFilterRiskLevel" : "High", + "result" : "Fail", + "clientBrowser" : "Google Chrome", + "partitionKey" : "34787654324567890987", + "customFilterTags" : "scan", + "initiatedByUserDisplayName" : "John", + "clientApp" : "Outlook", + "initiatedByUserHomeTenantName" : "Hugh", + "resultReason" : "Malware Found.", + "customerId" : "191648c0f65342", + "packageTraceId" : "3e4rr245", + "correlationId" : "234r34r542w13", + "initiatedByUserIpAddress" : "10.10.10.10", + "clientId" : "de249o34", + "locationLatitude" : "18.0686", + "userDisplayName" : "Jordan", + "userAgent" : "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41", + "userId" : "23fd34w4", + "initiatedByUserHomeTenantId" : "3245de344", + "productCode" : "aad", + "customFilterRiskLevel" : "High", + "receivedTime" : "2024-07-31T07:01:44Z", + "initiatedByServicePrincipalName" : "ETTES-ER", + "policyTreePath" : "C:\\desktop\\malware.sys" + }, + "ingestedDateTime" : "2024-07-31T05:00:49Z", + "uuid" : "31f42842-e527-443a-bb9d-1918c0f65342" + } + service: "observed-attack-techniques" + status: "notice" + tags: + - "source:LOGS_SOURCE" + timestamp: 1722402044000 + - + sample: |- + { + "endpoint" : { + "agentGuid" : "cedddc75-d673-4ba0-a1f6-cf6b05a84670", + "endpointName" : "LAB-Luwak-1048", + "ips" : [ "10.10.10.10", "fe70::9457:af15:b645:35os" ] + }, + "entityType" : "endpoint", + "entityName" : "desktop-17", + "detectedDateTime" : "2020-06-01T02:12:56Z", + "source" : "cloudActivityData", + "filters" : [ { + "riskLevel" : "info", + "mitreTacticIds" : [ "TA0002" ], + "mitreTechniqueIds" : [ "T1560.002" ], + "name" : "Service Execution via Service Control Manager", + "description" : "Service Control Manager (services.exe) has executed a process", + "id" : "F4231", + "highlightedObjects" : [ { + "field" : "objectPort", + "type" : "port", + "value" : 443 + } ], + "type" : "custom" + } ], + "detail" : { + "eventID" : "1234567890abcdef", + "awsRegion" : "us-east-1", + "eventSubId" : "1234567890abcdef", + "eventCategory" : "Management", + "eventVersion" : "1.08", + "responseElements" : "{\"User\":{\"UserName\":\"JohnDoe\"}}", + "sourceIPAddress" : "10.10.10.10", + "eventSource" : "iam.amazonaws.com", + "readOnly" : false, + "userAgent" : "aws-cli/2.7.24 Python/3.9.7 Linux/5.10.104-1-MANJARO", + "eventType" : "AwsApiCall", + "uuid" : "1234567890abcdef", + "productCode" : "", + "requestID" : "1234567890abcdef", + "customerId" : "1234567890", + "eventName" : "CreateUser", + "packageTraceId" : "1234567890abcdef", + "recipientAccountId" : "1234567890", + "managementEvent" : true, + "filterRiskLevel" : "info", + "eventCase" : "CreateUser-1234567890" + }, + "ingestedDateTime" : "2020-06-01T02:12:56Z", + "uuid" : "fdd69d98-58de-4249-9871-2e1b233b72ff" + } + service: "observed-attack-techniques" + result: + custom: + detail: + awsRegion: "us-east-1" + customerId: "1234567890" + eventCase: "CreateUser-1234567890" + eventCategory: "Management" + eventID: "1234567890abcdef" + eventName: "CreateUser" + eventSource: "iam.amazonaws.com" + eventSubId: "1234567890abcdef" + eventType: "AwsApiCall" + eventVersion: "1.08" + filterRiskLevel: "info" + managementEvent: true + packageTraceId: "1234567890abcdef" + productCode: "" + readOnly: false + recipientAccountId: "1234567890" + requestID: "1234567890abcdef" + responseElements: "{\"User\":{\"UserName\":\"JohnDoe\"}}" + userAgent: "aws-cli/2.7.24 Python/3.9.7 Linux/5.10.104-1-MANJARO" + uuid: "1234567890abcdef" + detectedDateTime: "2020-06-01T02:12:56Z" + endpoint: + agentGuid: "cedddc75-d673-4ba0-a1f6-cf6b05a84670" + endpointName: "LAB-Luwak-1048" + ips: + - "10.10.10.10" + - "fe70::9457:af15:b645:35os" + entityName: "desktop-17" + entityType: "endpoint" + filters: + - + riskLevel: "info" + mitreTacticIds: + - "TA0002" + mitreTechniqueIds: + - "T1560.002" + name: "Service Execution via Service Control Manager" + description: "Service Control Manager (services.exe) has executed a process" + id: "F4231" + highlightedObjects: + - + field: "objectPort" + type: "port" + value: 443 + type: "custom" + ingestedDateTime: "2020-06-01T02:12:56Z" + network: + client: + geoip: {} + ip: "10.10.10.10" + oat_event_severity: "Debug" + source: "cloudActivityData" + uuid: "fdd69d98-58de-4249-9871-2e1b233b72ff" + message: |- + { + "endpoint" : { + "agentGuid" : "cedddc75-d673-4ba0-a1f6-cf6b05a84670", + "endpointName" : "LAB-Luwak-1048", + "ips" : [ "10.10.10.10", "fe70::9457:af15:b645:35os" ] + }, + "entityType" : "endpoint", + "entityName" : "desktop-17", + "detectedDateTime" : "2020-06-01T02:12:56Z", + "source" : "cloudActivityData", + "filters" : [ { + "riskLevel" : "info", + "mitreTacticIds" : [ "TA0002" ], + "mitreTechniqueIds" : [ "T1560.002" ], + "name" : "Service Execution via Service Control Manager", + "description" : "Service Control Manager (services.exe) has executed a process", + "id" : "F4231", + "highlightedObjects" : [ { + "field" : "objectPort", + "type" : "port", + "value" : 443 + } ], + "type" : "custom" + } ], + "detail" : { + "eventID" : "1234567890abcdef", + "awsRegion" : "us-east-1", + "eventSubId" : "1234567890abcdef", + "eventCategory" : "Management", + "eventVersion" : "1.08", + "responseElements" : "{\"User\":{\"UserName\":\"JohnDoe\"}}", + "sourceIPAddress" : "10.10.10.10", + "eventSource" : "iam.amazonaws.com", + "readOnly" : false, + "userAgent" : "aws-cli/2.7.24 Python/3.9.7 Linux/5.10.104-1-MANJARO", + "eventType" : "AwsApiCall", + "uuid" : "1234567890abcdef", + "productCode" : "", + "requestID" : "1234567890abcdef", + "customerId" : "1234567890", + "eventName" : "CreateUser", + "packageTraceId" : "1234567890abcdef", + "recipientAccountId" : "1234567890", + "managementEvent" : true, + "filterRiskLevel" : "info", + "eventCase" : "CreateUser-1234567890" + }, + "ingestedDateTime" : "2020-06-01T02:12:56Z", + "uuid" : "fdd69d98-58de-4249-9871-2e1b233b72ff" + } + service: "observed-attack-techniques" + status: "debug" + tags: + - "source:LOGS_SOURCE" + timestamp: 1590977576000 + - + sample: |- + { + "endpoint" : { + "agentGuid" : "ceddds65-d673-4ba0-a1f6-cf6b05a46152", + "endpointName" : "LAB-Luwak-1048", + "ips" : [ "10.10.10.10", "fe78::1542:af77:b312:35ea" ] + }, + "entityType" : "endpoint", + "entityName" : "desktop-17", + "detectedDateTime" : "2020-06-01T02:12:56Z", + "source" : "networkActivityData", + "filters" : [ { + "riskLevel" : "info", + "mitreTacticIds" : [ "TA0002" ], + "mitreTechniqueIds" : [ "T1560.002" ], + "name" : "Service Execution via Service Control Manager", + "description" : "Service Control Manager (services.exe) has executed a process", + "id" : "F4231", + "highlightedObjects" : [ { + "field" : "objectPort", + "type" : "port", + "value" : 443 + } ], + "type" : "custom" + } ], + "detail" : { + "request" : "https://www.example.com", + "rt" : 1643723400, + "fileName" : "dummy-file.exe", + "serverTls" : "TLSv1.2", + "dst" : "8.8.8.8", + "requestBase" : "example.com", + "requestMethod" : "GET", + "pver" : "1.0", + "companyName" : "Example Inc.", + "fileHash" : "sample-filehash", + "serverProtocol" : "HTTP/1.1", + "suid" : "admin", + "mimeType" : "application/x-msdownload", + "duration" : 100, + "score" : 50, + "endpointHostName" : "dummy-host", + "act" : "2", + "ruleUuid" : "sample-ruleuuid", + "deviceGUID" : "ceddds65-d673-4ba0-a1f6-cf6b05a46152", + "ruleType" : " dummy-rule-type", + "eventName" : " dummy-event", + "ruleName" : " dummy-rule", + "filterRiskLevel" : "info", + "objectId" : "sample-objectuuid", + "src" : "10.10.10.10", + "pname" : " dummy-product", + "fileHashSha256" : "sample-filehashsha256", + "malName" : " dummy-malware", + "profile" : " dummy-profile", + "start" : 1643723400, + "dpt" : 443, + "principalName" : "admin", + "userAgent" : "Mozilla/5.0", + "requestMimeType" : "text/html", + "userDomain" : "example.com", + "osName" : "Windows 10", + "tenantGuid" : "nisdds75-d673-4ba0-a1f6-cf6b05a46152", + "eventSubName" : " dummy-sub-event", + "policyUuid" : "sample-policyuuid", + "detectionType" : " dummy-detection", + "application" : "Example App", + "fileSize" : "1024", + "sender" : "gateway", + "spt" : 443, + "clientIp" : "10.10.10.10", + "endpointGuid" : "ceddds65-d673-4ba0-a1f6-cf6b05a46152", + "userDepartment" : "IT", + "fileType" : "application/x-msdownload" + }, + "ingestedDateTime" : "2020-06-01T02:12:56Z", + "uuid" : "fdd69d98-58de-4249-9871-2e1b233b72ff" + } + service: "observed-attack-techniques" + result: + custom: + detail: + act: "2" + application: "Example App" + clientIp: "10.10.10.10" + companyName: "Example Inc." + detectionType: " dummy-detection" + deviceGUID: "ceddds65-d673-4ba0-a1f6-cf6b05a46152" + duration: 100 + endpointGuid: "ceddds65-d673-4ba0-a1f6-cf6b05a46152" + endpointHostName: "dummy-host" + eventName: " dummy-event" + eventSubName: " dummy-sub-event" + fileHash: "sample-filehash" + fileHashSha256: "sample-filehashsha256" + fileName: "dummy-file.exe" + fileSize: "1024" + fileType: "application/x-msdownload" + filterRiskLevel: "info" + malName: " dummy-malware" + mimeType: "application/x-msdownload" + objectId: "sample-objectuuid" + osName: "Windows 10" + pname: " dummy-product" + policyUuid: "sample-policyuuid" + principalName: "admin" + profile: " dummy-profile" + pver: "1.0" + request: "https://www.example.com" + requestBase: "example.com" + requestMethod: "GET" + requestMimeType: "text/html" + rt: 1643723400 + ruleName: " dummy-rule" + ruleType: " dummy-rule-type" + ruleUuid: "sample-ruleuuid" + score: 50 + sender: "gateway" + serverProtocol: "HTTP/1.1" + serverTls: "TLSv1.2" + start: 1643723400 + suid: "admin" + tenantGuid: "nisdds75-d673-4ba0-a1f6-cf6b05a46152" + userAgent: "Mozilla/5.0" + userDepartment: "IT" + userDomain: "example.com" + detectedDateTime: "2020-06-01T02:12:56Z" + endpoint: + agentGuid: "ceddds65-d673-4ba0-a1f6-cf6b05a46152" + endpointName: "LAB-Luwak-1048" + ips: + - "10.10.10.10" + - "fe78::1542:af77:b312:35ea" + entityName: "desktop-17" + entityType: "endpoint" + filters: + - + riskLevel: "info" + mitreTacticIds: + - "TA0002" + mitreTechniqueIds: + - "T1560.002" + name: "Service Execution via Service Control Manager" + description: "Service Control Manager (services.exe) has executed a process" + id: "F4231" + highlightedObjects: + - + field: "objectPort" + type: "port" + value: 443 + type: "custom" + ingestedDateTime: "2020-06-01T02:12:56Z" + network: + client: + geoip: {} + ip: "10.10.10.10" + port: 443 + destination: + ip: "8.8.8.8" + port: 443 + oat_event_severity: "Debug" + source: "networkActivityData" + uuid: "fdd69d98-58de-4249-9871-2e1b233b72ff" + message: |- + { + "endpoint" : { + "agentGuid" : "ceddds65-d673-4ba0-a1f6-cf6b05a46152", + "endpointName" : "LAB-Luwak-1048", + "ips" : [ "10.10.10.10", "fe78::1542:af77:b312:35ea" ] + }, + "entityType" : "endpoint", + "entityName" : "desktop-17", + "detectedDateTime" : "2020-06-01T02:12:56Z", + "source" : "networkActivityData", + "filters" : [ { + "riskLevel" : "info", + "mitreTacticIds" : [ "TA0002" ], + "mitreTechniqueIds" : [ "T1560.002" ], + "name" : "Service Execution via Service Control Manager", + "description" : "Service Control Manager (services.exe) has executed a process", + "id" : "F4231", + "highlightedObjects" : [ { + "field" : "objectPort", + "type" : "port", + "value" : 443 + } ], + "type" : "custom" + } ], + "detail" : { + "request" : "https://www.example.com", + "rt" : 1643723400, + "fileName" : "dummy-file.exe", + "serverTls" : "TLSv1.2", + "dst" : "8.8.8.8", + "requestBase" : "example.com", + "requestMethod" : "GET", + "pver" : "1.0", + "companyName" : "Example Inc.", + "fileHash" : "sample-filehash", + "serverProtocol" : "HTTP/1.1", + "suid" : "admin", + "mimeType" : "application/x-msdownload", + "duration" : 100, + "score" : 50, + "endpointHostName" : "dummy-host", + "act" : "2", + "ruleUuid" : "sample-ruleuuid", + "deviceGUID" : "ceddds65-d673-4ba0-a1f6-cf6b05a46152", + "ruleType" : " dummy-rule-type", + "eventName" : " dummy-event", + "ruleName" : " dummy-rule", + "filterRiskLevel" : "info", + "objectId" : "sample-objectuuid", + "src" : "10.10.10.10", + "pname" : " dummy-product", + "fileHashSha256" : "sample-filehashsha256", + "malName" : " dummy-malware", + "profile" : " dummy-profile", + "start" : 1643723400, + "dpt" : 443, + "principalName" : "admin", + "userAgent" : "Mozilla/5.0", + "requestMimeType" : "text/html", + "userDomain" : "example.com", + "osName" : "Windows 10", + "tenantGuid" : "nisdds75-d673-4ba0-a1f6-cf6b05a46152", + "eventSubName" : " dummy-sub-event", + "policyUuid" : "sample-policyuuid", + "detectionType" : " dummy-detection", + "application" : "Example App", + "fileSize" : "1024", + "sender" : "gateway", + "spt" : 443, + "clientIp" : "10.10.10.10", + "endpointGuid" : "ceddds65-d673-4ba0-a1f6-cf6b05a46152", + "userDepartment" : "IT", + "fileType" : "application/x-msdownload" + }, + "ingestedDateTime" : "2020-06-01T02:12:56Z", + "uuid" : "fdd69d98-58de-4249-9871-2e1b233b72ff" + } + service: "observed-attack-techniques" + status: "debug" + tags: + - "source:LOGS_SOURCE" + timestamp: 1590977576000 diff --git a/trend_micro_vision_one_xdr/assets/trend-micro-vision-one-xdr.svg b/trend_micro_vision_one_xdr/assets/trend-micro-vision-one-xdr.svg new file mode 100644 index 0000000000000..6abaea449f8be --- /dev/null +++ b/trend_micro_vision_one_xdr/assets/trend-micro-vision-one-xdr.svg @@ -0,0 +1,5 @@ + + + + + \ No newline at end of file diff --git a/trend_micro_vision_one_xdr/images/trend_micro_vision_one_xdr_oat.png b/trend_micro_vision_one_xdr/images/trend_micro_vision_one_xdr_oat.png new file mode 100644 index 0000000000000..61d5f57468423 Binary files /dev/null and b/trend_micro_vision_one_xdr/images/trend_micro_vision_one_xdr_oat.png differ diff --git a/trend_micro_vision_one_xdr/images/trend_micro_vision_one_xdr_workbench_alerts.png b/trend_micro_vision_one_xdr/images/trend_micro_vision_one_xdr_workbench_alerts.png new file mode 100644 index 0000000000000..46fa16632a0a0 Binary files /dev/null and b/trend_micro_vision_one_xdr/images/trend_micro_vision_one_xdr_workbench_alerts.png differ diff --git a/trend_micro_vision_one_xdr/manifest.json b/trend_micro_vision_one_xdr/manifest.json index 3d64ea2654d4f..1ec3d9e225a63 100644 --- a/trend_micro_vision_one_xdr/manifest.json +++ b/trend_micro_vision_one_xdr/manifest.json @@ -10,7 +10,18 @@ "changelog": "CHANGELOG.md", "description": "Gain insights into trend micro vision one xdr logs", "title": "Trend Micro Vision One XDR", - "media": [], + "media": [ + { + "caption": "Trend Micro Vision One XDR - Workbench Alerts", + "image_url": "images/trend_micro_vision_one_xdr_workbench_alerts.png", + "media_type": "image" + }, + { + "caption": "Trend Micro Vision One XDR - Observed Attack Techniques", + "image_url": "images/trend_micro_vision_one_xdr_oat.png", + "media_type": "image" + } + ], "classifier_tags": [ "Category::Log Collection", "Category::Security", @@ -29,6 +40,13 @@ "service_checks": { "metadata_path": "assets/service_checks.json" } + }, + "dashboards": { + "Trend Micro Vision One XDR - Workbench Alerts": "assets/dashboards/trend_micro_vision_one_xdr_workbench_alerts.json", + "Trend Micro Vision One XDR - Observed Attack Techniques": "assets/dashboards/trend_micro_vision_one_xdr_observed_attack_techniques.json" + }, + "logs": { + "source": "trend-micro-vision-one-xdr" } }, "author": { @@ -36,6 +54,5 @@ "name": "Datadog", "homepage": "https://www.datadoghq.com", "sales_email": "info@datadoghq.com" - }, - "oauth": {} + } } \ No newline at end of file