diff --git a/trellix_endpoint_security/README.md b/trellix_endpoint_security/README.md index fad7860c116d1..3ee74ebe9bc38 100644 --- a/trellix_endpoint_security/README.md +++ b/trellix_endpoint_security/README.md @@ -1,43 +1,54 @@ -# Agent Check: trellix_endpoint_security - ## Overview -This check monitors [trellix_endpoint_security][1]. +[Trellix Endpoint Security (ENS)][1] protects servers, computer systems, laptops, and tablets against known and unknown threats. These threats include malware, suspicious communications, unsafe websites, and downloaded files. Trellix Endpoint Security enables multiple defense technologies to communicate in real time to analyze and protect against threats. -## Setup +This integration ingests the following logs: -### Installation +- **Threat Events**: This endpoint provides details about threat events triggered by Trellix Endpoint Security, including threat prevention, web control, firewall, and adaptive threat protection. -The trellix_endpoint_security check is included in the [Datadog Agent][2] package. -No additional installation is needed on your server. +This integration provides enrichment and visualization for above mentioned event types. It helps to visualize detailed insights into security trends, threats, and policy violations through the out-of-the-box dashboards. Also, This integration provides out of the box detection rules. + +## Setup ### Configuration -!!! Add list of steps to set up this integration !!! +#### Get Credentials of Trellix Endpoint Security -### Validation +1. Log in to the Trellix ePO Saas. +2. Navigate to the **Trellix Developer Portal[2]**. +3. Under **Self-Service**, select **API Access Management**. +4. In the **Credential Configurations** section, provide the following details: + - **Client Type**: Enter a descriptive and identifiable name. + - **APIs**: Choose **Events** from the dropdown. + - **Method Types**: Select **GET**. +5. Click **Request** to submit the request. It typically takes 2-3 days to process. You will be notified once your credentials are ready. +6. When your credentials are available, generate your Client credentials by clicking **Generate** under **Create Client Credentials**. +7. Copy the API key from **Access Management**, along with the Client ID and Client Secret, from **Create Client Credentials**. -!!! Add steps to validate integration is functioning as expected !!! +#### Add your Trellix Endpoint Security credentials + +- Client ID +- Client Secret +- API Key ## Data Collected -### Metrics +### Logs -trellix_endpoint_security does not include any metrics. +The Trellix Endpoint Security integration collects and forwards events related to threat prevention, web control, firewall, and adaptive threat protection to Datadog. -### Service Checks +### Metrics -trellix_endpoint_security does not include any service checks. +The Trellix Endpoint Security integration does not include any metrics. ### Events -trellix_endpoint_security does not include any events. +The Trellix Endpoint Security integration does not include any events. -## Troubleshooting +## Support -Need help? Contact [Datadog support][3]. +For additional assistance, contact [Datadog support][3]. -[1]: **LINK_TO_INTEGRATION_SITE** -[2]: https://app.datadoghq.com/account/settings/agent/latest +[1]: https://www.trellix.com/products/endpoint-security/ +[2]: https://developer.manage.trellix.com/mvision/selfservice/home [3]: https://docs.datadoghq.com/help/ - diff --git a/trellix_endpoint_security/assets/dashboards/trellix_endpoint_security_threat_events.json b/trellix_endpoint_security/assets/dashboards/trellix_endpoint_security_threat_events.json new file mode 100644 index 0000000000000..f75784083db76 --- /dev/null +++ b/trellix_endpoint_security/assets/dashboards/trellix_endpoint_security_threat_events.json @@ -0,0 +1,2875 @@ +{ + "title": "Trellix Endpoint Security (ENS) - Threat Events", + "description": "This dashboard provides a comprehensive summary of Trellix Endpoint Security logs.", + "widgets": [ + { + "id": 6317091875696640, + "definition": { + "type": "image", + "url": "https://www.trellix.com/en-us/assets/logos/Trellix-Logo-Black.svg", + "url_dark_theme": "https://developer.manage.trellix.com/assets/wc-comp-library/stencil-nav/icons/trellix-logo-dark.svg", + "sizing": "fill", + "margin": "md", + "has_background": false, + "has_border": false, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 3 + } + }, + { + "id": 6318664626386188, + "definition": { + "type": "note", + "content": "This dashboard provides comprehensive visibility into the security events across your endpoints, enabling you to monitor, analyze, and respond to potential threats effectively. By presenting threat prevention events, firewall activities, web protection, and adaptive threat protection events. This dashboard enhances your ability to evaluate the overall security posture of your environment\n\nFor more information, see the [Trellix Endpoint Security Integration Documentation](https://docs.datadoghq.com/integrations/trellix_endpoint_security).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 4, + "y": 0, + "width": 8, + "height": 3 + } + }, + { + "id": 7374508639391336, + "definition": { + "title": "Overview", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2024944555190148, + "definition": { + "title": "Total Threat Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb3b3" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 5894337950599692, + "definition": { + "title": "Threat Events by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "semantic", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 7785451134463228, + "definition": { + "title": "Total Threat Prevention Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security service:threat-prevention $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ddeda1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 3 + } + }, + { + "id": 4023601203534756, + "definition": { + "title": "Threat Prevention Events by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security service:threat-prevention $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 3, + "width": 9, + "height": 3 + } + }, + { + "id": 2833067979916938, + "definition": { + "title": "Total Firewall Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security service:firewall $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#becbf4" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 6, + "width": 3, + "height": 3 + } + }, + { + "id": 8565996610487564, + "definition": { + "title": "Firewall Events by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security service:firewall $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 6, + "width": 9, + "height": 3 + } + }, + { + "id": 2109154923689130, + "definition": { + "title": "Total ATP Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security service:adaptive-threat-protection $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#b6c0c8" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 3 + } + }, + { + "id": 4200439091914242, + "definition": { + "title": "Adaptive Threat Protection Events by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security service:adaptive-threat-protection $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 9, + "width": 9, + "height": 3 + } + }, + { + "id": 1308180909888178, + "definition": { + "title": "Total Web Protection Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security service:web-protection $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">=", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e7bd73" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 2429869255360170, + "definition": { + "title": "Web Protection Events by Severity over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security service:web-protection $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "color_order": "shuffled", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 12, + "width": 9, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 16 + } + }, + { + "id": 6493949293477566, + "definition": { + "title": "Threat Events", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3871774228100030, + "definition": { + "title": "Distribution of Events by Module Names", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@modulename", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 5812252882307230, + "definition": { + "title": "Total Unhandled Threats", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security @attributes.threathandled:false $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffadad" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 1092351384868770, + "definition": { + "title": "Threat Events by Severity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 15, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 8423990386060400, + "definition": { + "title": "Top 10 Endpoint Names by Threat Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.analyzerhostname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@attributes.threattype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 636423323169884, + "definition": { + "title": "Top 10 Threat Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.threattype", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 3679200050694014, + "definition": { + "title": "Top 10 Action Taken for Threats", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.threatactiontaken", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 3742963234479046, + "definition": { + "title": "Top 10 Threat Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.threatname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 1041338993898786, + "definition": { + "title": "Top 10 Analyzer Detection Method", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.analyzerdetectionmethod", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 538893396613838, + "definition": { + "title": "Top 10 Infected Users by Threat Name", + "title_size": "16", + "title_align": "left", + "time": { + "hide_incomplete_cost_data": true + }, + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.targetusername", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@attributes.threatname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 6, + "height": 4 + } + }, + { + "id": 3453822557481890, + "definition": { + "title": "Top 10 Threat Categories", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.threatcategory", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 16, + "width": 6, + "height": 4 + } + }, + { + "id": 8594292922198596, + "definition": { + "title": "Distribution of Events by Attack Vector Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.extendedattributes.EPExtendedEvent.AttackVectorType", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 6, + "height": 4 + } + }, + { + "id": 4726836445915148, + "definition": { + "title": "Top 10 Target Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.extendedattributes.EPExtendedEvent.TargetName", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 20, + "width": 6, + "height": 4 + } + }, + { + "id": 1896037270475408, + "definition": { + "title": "Top 10 Source Process Name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.sourceprocessname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 6, + "height": 4 + } + }, + { + "id": 2832018928733842, + "definition": { + "title": "Top 10 Target Process Name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.targetprocessname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 24, + "width": 6, + "height": 4 + } + }, + { + "id": 4847541011346712, + "definition": { + "title": "Top 10 Source IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 403537117443526, + "definition": { + "title": "Top 10 Target IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.destination.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 4, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 7780097295830282, + "definition": { + "title": "Top 10 Target MAC Addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.targetmac", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 8, + "y": 28, + "width": 4, + "height": 4 + } + }, + { + "id": 2333763374975550, + "definition": { + "title": "Top 10 Target Host Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.targethostname", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 32, + "width": 6, + "height": 4 + } + }, + { + "id": 7917430614181104, + "definition": { + "title": "Distribution of Events by Target Network Protocol", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "formulas": [ + { + "formula": "query1", + "limit": { + "order": "desc" + } + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.targetprotocol", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 32, + "width": 6, + "height": 4 + } + }, + { + "id": 6240362402526870, + "definition": { + "title": "Top 10 Source URL", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.sourceurl", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 36, + "width": 6, + "height": 4 + } + }, + { + "id": 8270345209256882, + "definition": { + "title": "Top 10 Target File Names", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.targetfilename", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 36, + "width": 6, + "height": 4 + } + }, + { + "id": 3012932609674598, + "definition": { + "title": "Top 10 Source File Path", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.extendedattributes.EPExtendedEvent.SourceFilePath", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 0, + "y": 40, + "width": 6, + "height": 4 + } + }, + { + "id": 529849355002712, + "definition": { + "title": "Top 10 Target Path", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@attributes.extendedattributes.EPExtendedEvent.TargetPath", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "palette": "datadog16", + "scaling": "relative" + } + }, + "layout": { + "x": 6, + "y": 40, + "width": 6, + "height": 4 + } + }, + { + "id": 6302334607924784, + "definition": { + "title": "Threat Event Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:trellix-endpoint-security $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "modulename", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "attributes.threatcategory", + "width": "auto" + }, + { + "field": "attributes.threatname", + "width": "auto" + }, + { + "field": "attributes.threatactiontaken", + "width": "auto" + }, + { + "field": "attributes.threattype", + "width": "auto" + }, + { + "field": "attributes.analyzerhostname", + "width": "auto" + }, + { + "field": "@network.client.ip", + "width": "auto" + }, + { + "field": "@network.destination.ip", + "width": "auto" + }, + { + "field": "attributes.analyzerdetectionmethod", + "width": "auto" + }, + { + "field": "attributes.threathandled", + "width": "auto" + }, + { + "field": "attributes.extendedattributes.EPExtendedEvent.AttackVectorType", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 44, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 49, + "is_column_break": true + } + }, + { + "id": 4423210245898522, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "purple", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 7834967616470240, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates Trellix Endpoint security logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security).", + "background_color": "purple", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 8831308902327838, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security status:critical $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 6759925151926398, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security status:high $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 1247099690960058, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security status:critical $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 6734042029193144, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security status:medium $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 7586660613967118, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security status:low $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 5808190364331256, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:trellix-endpoint-security status:info $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 412416152381218, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security status:high $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 1626519686720974, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:trellix-endpoint-security status:medium $Module-Name $Client-IP $Severity $Threat-Action-Taken $Threat-Type" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 68, + "width": 12, + "height": 1 + } + } + ], + "template_variables": [ + { + "name": "Module-Name", + "prefix": "@modulename", + "available_values": [], + "default": "*" + }, + { + "name": "Client-IP", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "Severity", + "prefix": "@severity", + "available_values": [], + "default": "*" + }, + { + "name": "Threat-Action-Taken", + "prefix": "@attributes.threatactiontaken", + "available_values": [], + "default": "*" + }, + { + "name": "Threat-Type", + "prefix": "@attributes.threattype", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/trellix_endpoint_security/assets/logs/trellix-endpoint-security.yaml b/trellix_endpoint_security/assets/logs/trellix-endpoint-security.yaml new file mode 100644 index 0000000000000..cefe7727ddd76 --- /dev/null +++ b/trellix_endpoint_security/assets/logs/trellix-endpoint-security.yaml @@ -0,0 +1,335 @@ +id: trellix-endpoint-security +metric_id: trellix-endpoint-security +backend_only: false +facets: + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log + - groups: + - User + name: User Name + path: usr.name + source: log +pipeline: + type: pipeline + name: Trellix Endpoint Security (ENS) + enabled: true + filter: + query: source:trellix-endpoint-security + processors: + - type: category-processor + name: Module name category processor + enabled: true + categories: + - filter: + query: "@attributes.threateventid:[1102 TO 1104] OR + @attributes.threateventid:[1300 TO 1328] OR + @attributes.threateventid:[1400 TO 1431] OR + @attributes.threateventid:[18051 TO 18060] OR + @attributes.threateventid:[34852 TO 34855] OR + @attributes.threateventid:[34920 TO 34926] OR + @attributes.threateventid:[34935 TO 34938] OR + @attributes.threateventid:(1024 OR 1025 OR 1027 OR 1037 OR 1051 OR + 1059 OR 1064 OR 1065 OR 1087 OR 1088 OR 1091 OR 1092 OR 1095 OR + 1096 OR 1106 OR 1202 OR 1203 OR 1278 OR 1280 OR 1282 OR 1284 OR + 1290 OR 1292 OR 34900 OR 34910 OR 34928)" + name: threat-prevention + - filter: + query: "@attributes.threateventid:[1118 TO 1121] OR + @attributes.threateventid:(34857 OR 34865)" + name: common + - filter: + query: "@attributes.threateventid:[35000 TO 35003] OR + @attributes.threateventid:[35009 TO 35011]" + name: firewall + - filter: + query: "@attributes.threateventid:[35100 TO 35107] OR + @attributes.threateventid:[35111 TO 35114] OR + @attributes.threateventid:[37275 TO 37280] OR + @attributes.threateventid:(35116 OR 35117)" + name: adaptive-threat-protection + - filter: + query: "@attributes.threateventid:(18600 OR 18601)" + name: web-protection + target: modulename + - type: service-remapper + name: Define `modulename` as the official service of the log + enabled: true + sources: + - modulename + - type: date-remapper + name: Define `attributes.detectedutc` as the official date of the log + enabled: true + sources: + - attributes.detectedutc + - type: category-processor + name: Threat name category processor + enabled: true + categories: + - filter: + query: '@attributes.threatname:" "' + name: N/A + target: attributes.threatname + - name: Lookup for `attributes.threattype` + enabled: true + source: attributes.threattype + target: attributes.threattype + lookupTable: |- + IDS_THREAT_TYPE_VALUE_AP,Access Protection + IDS_THREAT_TYPE_VALUE_DACAP,Dynamic Application Containment + IDS_THREAT_TYPE_VALUE_BOP,Exploit Prevention + IDS_FW_THREAT_TYPE_INTRUSION,Intrusion detected + IDS_THREAT_TYPE_DLD,Malicious file download + IDS_THREAT_TYPE_URL,Malicious URL + IDS_THREAT_TYPE_VALUE_NIPS,Network Intrusion Prevention System + IDS_ALERT_DET_TYP_NOT,Not specified + IDS_THREAT_TYPE_VALUE_SP,Self Protection + IDS_ALERT_DET_TYP_STE,Stealth + IDS_FW_THREAT_TYPE_TRAFFIC,Traffic allowed + IDS_FW_THREAT_TYPE_DETECTION,Traffic detected + type: lookup-processor + - type: category-processor + name: Threat type category processor + enabled: true + categories: + - filter: + query: '@attributes.threattype:" "' + name: N/A + target: attributes.threattype + - name: Lookup for `attributes.threatactiontaken` + enabled: true + source: attributes.threatactiontaken + target: attributes.threatactiontaken + lookupTable: >- + jticlient.allowed,Adaptive Threat Protection Allowed + + jticlient.blocked,Adaptive Threat Protection Blocked + + jticlient.repaired,Adaptive Threat Protection Cleaned + + jticlient.contain,Adaptive Threat Protection Contained + + jticlient.uncontain,Adaptive Threat Protection Released From Containment + + jticlient.would.allowed,Adaptive Threat Protection Would Allow + + jticlient.would.blocked,Adaptive Threat Protection Would Block + + jticlient.would.repaired,Adaptive Threat Protection Would Clean + + jticlient.would.contain,Adaptive Threat Protection Would Contain + + jticlient.would.uncontain,Adaptive Threat Protection Would Release From Containment + + IDS_ACTION_ADDED_REQ,Added requester + + IDS_THREAT_ACTION_ALLOW,Allow + + IDS_ALERT_ACT_TAK_ALLOW,Allow access + + IDS_ALERT_ACT_TAK_BLO,Block + + blocked,Blocked + + IDS_ALERT_ACT_TAK_CLE,Clean + + cleaned,Cleaned + + IDS_ACTION_CONTAINED,Contained + + IDS_ALERT_ACT_TAK_CONT,Continue scanning + + IDS_ALERT_ACT_TAK_DEL,Delete + + IDS_ALERT_ACT_TAK_WBD,Delete pending + + IDS_ALERT_ACT_TAK_DEN,Deny access + + execute.deny,Execute denied + + IDS_ALERT_ACT_TAK_MOV,Move + + moved,Moved + + None,None + + none,None + + IDS_THREAT_ACTN_OBSRVD,Observed + + IDS_ALERT_ACT_TAK_PRO,Prompt user + + read.denied,Read denied + + IDS_ACTION_UNCONTAINED,Released from containment + + removed,Removed + + IDS_ACTION_REM_REQ,Removed requester + + IDS_THREAT_ACTION_WARN,Warned + + IDS_ACTION_WOULD_BLOCK,Would block + + IDS_ACTION_WOULD_CLEAN,Would clean + + IDS_ACTION_WOULD_DELETE,Would delete + + execute.woulddeny,Would deny executing + + write.denied,Write denied + type: lookup-processor + - name: Lookup for `attributes.threatcategory` + enabled: true + source: attributes.threatcategory + target: attributes.threatcategory + lookupTable: |- + av,Malware + av.detect,Malware detected + av.detect.heuristics,Malware detected using heuristics + av.promptTimeout,Prompt - Timed Out + av.promptUnavailable,Prompt - Unavailable + av.promptUser,Prompt - User Response + av.reputation,Reputation + behavior.credtheft,Credential theft mitigated + fw,Firewall + fw.app.hook,Firewall application hook + fw.detect,Firewall detected + fw.intrusion,Intrusion detected + hip,Host intrusion + hip.app,Application monitoring + hip.app.block,Application block + hip.behavior.detect,Suspicious behavior detected + hip.bo,Host intrusion buffer overflow + hip.file,'File' class or access + hip.network.detect,Malicious site navigation + hip.process,'Process' class or access + hip.registry,'Registry' class or access + mail,Email + mail.filter,Email filtered + mail.phish,Email phishing detected + mail.spam,Email spam + mvedr.update.update,Update + nip,Network intrusion + nip.detect,Network intrusion detected + ops,Operational + ops.clilock,Client interface lockout + ops.fw.detect,Traffic detected + ops.fw.timedgroup,Timed groups + ops.fw.traffic,Traffic allowed + ops.informational.event,Informational event + ops.install,Install + ops.quar.restore,Quarantined item restored + ops.scan,Scan + ops.scan.cancel,Scan canceled + ops.scan.end,Scan ended + ops.scan.error,Scan failed + ops.scan.start,Scan started + ops.service,Service + ops.service.cancel,Service canceled + ops.service.end,Service ended + ops.service.error,Service failed + ops.service.start,Service started + ops.task,Task + ops.task.cancel,Task canceled + ops.task.deferred,Task deferred + ops.task.end,Task ended + ops.task.error,Task failed + ops.task.start,Task started + ops.uninstall,Uninstall + ops.update,Update + ops.update.cancel,Update canceled + ops.update.end,Update ended + ops.update.error,Update failed + ops.update.start,Update started + policy,Policy + policy.quarantine,Policy quarantine + tiem.AccessProtection.info,Access Protection + wp.detect.download,Malicious file download + wp.detect.url,Malicious site navigation + type: lookup-processor + - name: Lookup for + `attributes.extendedattributes.EPExtendedEvent.AttackVectorType` + enabled: true + source: attributes.extendedattributes.EPExtendedEvent.AttackVectorType + target: attributes.extendedattributes.EPExtendedEvent.AttackVectorType + lookupTable: |- + 0,None + 1,Web + 2,External Device + 3,Network + 4,Local System + 5,File Share + type: lookup-processor + - type: attribute-remapper + name: Map `attributes.sourceipv4` to `network.client.ip` + enabled: true + sources: + - attributes.sourceipv4 + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `attributes.targetipv4` to `network.destination.ip` + enabled: true + sources: + - attributes.targetipv4 + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `attributes.targetport` to `network.destination.port` + enabled: true + sources: + - attributes.targetport + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `attributes.sourceusername` to `usr.name` + enabled: true + sources: + - attributes.sourceusername + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - name: Lookup on `attributes.threatseverity` to `severity` + enabled: true + source: attributes.threatseverity + target: severity + lookupTable: |- + 0,Emergency + 1,Alert + 2,Critical + 3,Warning + 4,Warning + 5,Notice + 6,Info + 7,Debug + defaultLookup: Info + type: lookup-processor + - type: status-remapper + name: Define `severity` as the official status of the log + enabled: true + sources: + - severity diff --git a/trellix_endpoint_security/assets/logs/trellix-endpoint-security_tests.yaml b/trellix_endpoint_security/assets/logs/trellix-endpoint-security_tests.yaml new file mode 100644 index 0000000000000..f16d053835c1d --- /dev/null +++ b/trellix_endpoint_security/assets/logs/trellix-endpoint-security_tests.yaml @@ -0,0 +1,492 @@ +id: trellix-endpoint-security +tests: + - + sample: |- + { + "links" : { + "self" : "/epo/v2/events/3f88c4ad-8d89-4a0e-bc9b-e21f2c4c08ad" + }, + "attributes" : { + "detectedutc" : "1726009831000", + "analyzermac" : "000000000a01", + "receivedutc" : "1726009912159", + "sourceprocessname" : "test.exe", + "sourceipv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceipv4" : "10.10.10.10", + "analyzerdetectionmethod" : "Access Protection", + "targetusername" : "Test", + "threatseverity" : "2", + "sourceprocesssigned" : true, + "targethash" : "7a0c833ecb19260e4a108c9e7e947038", + "analyzer" : "ENDP_AM_1070", + "nodepath" : "1\\2942564", + "threattype" : "IDS_THREAT_TYPE_VALUE_AP", + "threateventid" : 1092, + "timestamp" : "2024-09-10T23:11:52.159Z", + "targetport" : "1850", + "analyzerversion" : "10.7.0.6711", + "sourcefilepath" : "C:\\Program Files (x86)\\Test\\130.0.6679.0", + "agentguid" : "a078a2e6-e490-4345-839e-7c1f8665a2b9", + "targetfilename" : "C:\\ProgramData\\Test.log", + "threatactiontaken" : "blocked", + "threatname" : "Protect Endpoint Security logs folder", + "analyzername" : "Trellix Endpoint Security", + "threatcategory" : "hip.file", + "autoguid" : "4c99b752-ae2d-4de9-bfbe-61969c0a80dc", + "targetipv6" : "/0:0:0:0:0:ffff:0:0", + "analyzeripv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceprocesshash" : "c583e91ddee7c0e8ac2a3d3aacad2f4c", + "analyzeripv4" : "10.10.10.10", + "sourceusername" : "TEST\\TEST", + "analyzerhostname" : "DESKTOP-TEST", + "targetipv4" : "20.20.20.20", + "extendedattributes" : { + "EPExtendedEvent" : { + "TargetModifyTime" : 1725614523000, + "SourceProcessSigner" : "OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=DELAWARE, OID.2.5.4.15=PRIVATE ORGANIZATION, SERIALNUMBER=3582691, C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE LLC, CN=GOOGLE LLC", + "DurationBeforeDetection" : 1029904, + "TargetPath" : "C:\\ProgramData\\Test", + "TargetFileSize" : 3420, + "AttackVectorType" : 4, + "SourceProcessSigned" : true, + "TargetName" : "Test.log", + "TargetAccessTime" : 1726007902000, + "SourceFileSize" : 4884584, + "TargetHash" : "7a0c833ecb19260e4a108c9e7e947038", + "SourceModifyTime" : 1724658416000, + "AnalyzerContentVersion" : "10.7.0", + "SourceProcessHash" : "c583e91ddee7c0e8ac2a3d3aacad2f4c", + "AnalyzerContentCreationDate" : 1442920271000, + "SourceFilePath" : "C:\\Program Files (x86)\\Test\\130.0.6679.0", + "SourceCreateTime" : 1724979927000, + "TargetCreateTime" : 1725613710000, + "SourceAccessTime" : 1726009831000, + "TargetSigned" : false + } + }, + "threathandled" : true + }, + "id" : "3f88c4ad-8d89-4a0e-bc9b-e21f2c4c08ad", + "type" : "MVEvents" + } + service: "threat-events" + result: + custom: + attributes: + agentguid: "a078a2e6-e490-4345-839e-7c1f8665a2b9" + analyzer: "ENDP_AM_1070" + analyzerdetectionmethod: "Access Protection" + analyzerhostname: "DESKTOP-TEST" + analyzeripv4: "10.10.10.10" + analyzeripv6: "/0:0:0:0:0:ffff:ffff:ffff" + analyzermac: "000000000a01" + analyzername: "Trellix Endpoint Security" + analyzerversion: "10.7.0.6711" + autoguid: "4c99b752-ae2d-4de9-bfbe-61969c0a80dc" + detectedutc: "1726009831000" + extendedattributes: + EPExtendedEvent: + AnalyzerContentCreationDate: 1442920271000 + AnalyzerContentVersion: "10.7.0" + AttackVectorType: "Local System" + DurationBeforeDetection: 1029904 + SourceAccessTime: 1726009831000 + SourceCreateTime: 1724979927000 + SourceFilePath: "C:\\Program Files (x86)\\Test\\130.0.6679.0" + SourceFileSize: 4884584 + SourceModifyTime: 1724658416000 + SourceProcessHash: "c583e91ddee7c0e8ac2a3d3aacad2f4c" + SourceProcessSigned: true + SourceProcessSigner: "OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=DELAWARE, OID.2.5.4.15=PRIVATE ORGANIZATION, SERIALNUMBER=3582691, C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE LLC, CN=GOOGLE LLC" + TargetAccessTime: 1726007902000 + TargetCreateTime: 1725613710000 + TargetFileSize: 3420 + TargetHash: "7a0c833ecb19260e4a108c9e7e947038" + TargetModifyTime: 1725614523000 + TargetName: "Test.log" + TargetPath: "C:\\ProgramData\\Test" + TargetSigned: false + nodepath: "1\\2942564" + receivedutc: "1726009912159" + sourcefilepath: "C:\\Program Files (x86)\\Test\\130.0.6679.0" + sourceipv6: "/0:0:0:0:0:ffff:ffff:ffff" + sourceprocesshash: "c583e91ddee7c0e8ac2a3d3aacad2f4c" + sourceprocessname: "test.exe" + sourceprocesssigned: true + targetfilename: "C:\\ProgramData\\Test.log" + targethash: "7a0c833ecb19260e4a108c9e7e947038" + targetipv6: "/0:0:0:0:0:ffff:0:0" + targetusername: "Test" + threatactiontaken: "Blocked" + threatcategory: "'File' class or access" + threateventid: 1092 + threathandled: true + threatname: "Protect Endpoint Security logs folder" + threatseverity: "2" + threattype: "Access Protection" + timestamp: "2024-09-10T23:11:52.159Z" + id: "3f88c4ad-8d89-4a0e-bc9b-e21f2c4c08ad" + links: + self: "/epo/v2/events/3f88c4ad-8d89-4a0e-bc9b-e21f2c4c08ad" + modulename: "threat-prevention" + network: + client: + ip: "10.10.10.10" + destination: + ip: "20.20.20.20" + port: "1850" + severity: "Critical" + type: "MVEvents" + usr: + name: "TEST\\TEST" + message: |- + { + "links" : { + "self" : "/epo/v2/events/3f88c4ad-8d89-4a0e-bc9b-e21f2c4c08ad" + }, + "attributes" : { + "detectedutc" : "1726009831000", + "analyzermac" : "000000000a01", + "receivedutc" : "1726009912159", + "sourceprocessname" : "test.exe", + "sourceipv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceipv4" : "10.10.10.10", + "analyzerdetectionmethod" : "Access Protection", + "targetusername" : "Test", + "threatseverity" : "2", + "sourceprocesssigned" : true, + "targethash" : "7a0c833ecb19260e4a108c9e7e947038", + "analyzer" : "ENDP_AM_1070", + "nodepath" : "1\\2942564", + "threattype" : "IDS_THREAT_TYPE_VALUE_AP", + "threateventid" : 1092, + "timestamp" : "2024-09-10T23:11:52.159Z", + "targetport" : "1850", + "analyzerversion" : "10.7.0.6711", + "sourcefilepath" : "C:\\Program Files (x86)\\Test\\130.0.6679.0", + "agentguid" : "a078a2e6-e490-4345-839e-7c1f8665a2b9", + "targetfilename" : "C:\\ProgramData\\Test.log", + "threatactiontaken" : "blocked", + "threatname" : "Protect Endpoint Security logs folder", + "analyzername" : "Trellix Endpoint Security", + "threatcategory" : "hip.file", + "autoguid" : "4c99b752-ae2d-4de9-bfbe-61969c0a80dc", + "targetipv6" : "/0:0:0:0:0:ffff:0:0", + "analyzeripv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceprocesshash" : "c583e91ddee7c0e8ac2a3d3aacad2f4c", + "analyzeripv4" : "10.10.10.10", + "sourceusername" : "TEST\\TEST", + "analyzerhostname" : "DESKTOP-TEST", + "targetipv4" : "20.20.20.20", + "extendedattributes" : { + "EPExtendedEvent" : { + "TargetModifyTime" : 1725614523000, + "SourceProcessSigner" : "OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=DELAWARE, OID.2.5.4.15=PRIVATE ORGANIZATION, SERIALNUMBER=3582691, C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE LLC, CN=GOOGLE LLC", + "DurationBeforeDetection" : 1029904, + "TargetPath" : "C:\\ProgramData\\Test", + "TargetFileSize" : 3420, + "AttackVectorType" : 4, + "SourceProcessSigned" : true, + "TargetName" : "Test.log", + "TargetAccessTime" : 1726007902000, + "SourceFileSize" : 4884584, + "TargetHash" : "7a0c833ecb19260e4a108c9e7e947038", + "SourceModifyTime" : 1724658416000, + "AnalyzerContentVersion" : "10.7.0", + "SourceProcessHash" : "c583e91ddee7c0e8ac2a3d3aacad2f4c", + "AnalyzerContentCreationDate" : 1442920271000, + "SourceFilePath" : "C:\\Program Files (x86)\\Test\\130.0.6679.0", + "SourceCreateTime" : 1724979927000, + "TargetCreateTime" : 1725613710000, + "SourceAccessTime" : 1726009831000, + "TargetSigned" : false + } + }, + "threathandled" : true + }, + "id" : "3f88c4ad-8d89-4a0e-bc9b-e21f2c4c08ad", + "type" : "MVEvents" + } + service: "threat-prevention" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726009831000 + - + sample: |- + { + "links" : { + "self" : "/epo/v2/events/502301bb-cc98-4708-ae12-1be817f8cf50" + }, + "attributes" : { + "detectedutc" : "1726561344000", + "analyzermac" : "000000000a01", + "receivedutc" : "1726561912739", + "sourceprocessname" : "test.exe", + "sourceipv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceipv4" : "10.10.10.10", + "analyzerdetectionmethod" : "Dynamic Application Containment", + "threatseverity" : "4", + "analyzer" : "ENDPATP_1070", + "nodepath" : "1\\2942564", + "threattype" : "IDS_THREAT_TYPE_VALUE_DACAP", + "threateventid" : 37275, + "timestamp" : "2024-09-17T08:31:52.739Z", + "analyzerversion" : "10.7.0", + "sourcefilepath" : "C:\\Program Files\\Test", + "agentguid" : "a078a2e6-e490-4345-839e-7c1f8665a2b9", + "targetfilename" : "C:\\Program Files\\Test\\test.exe", + "threatactiontaken" : "IDS_ACTION_CONTAINED", + "threatname" : "DAC:Contained", + "analyzername" : "Trellix Endpoint Security", + "threatcategory" : "hip.process", + "autoguid" : "5a23a888-8af1-41ce-9f6a-14150433704c", + "targetipv6" : "/0:0:0:0:0:ffff:0:0", + "analyzeripv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceprocesshash" : "2662decb9c421566ef5a73b977c56205", + "analyzeripv4" : "10.10.10.10", + "analyzerhostname" : "DESKTOP-TEST", + "targetipv4" : "20.20.20.20", + "extendedattributes" : { + "EPExtendedEvent" : { + "SourceFileSize" : 92672, + "SourceModifyTime" : 1726328621000, + "TargetPath" : "C:\\Program Files\\Test", + "SourceProcessHash" : "2662decb9c421566ef5a73b977c56205", + "AttackVectorType" : 4, + "SourceFilePath" : "C:\\Program Files\\Test", + "SourceCreateTime" : 1726328564000, + "TargetName" : "test.exe", + "SourceAccessTime" : 1726561343000 + } + }, + "threathandled" : true + }, + "id" : "502301bb-cc98-4708-ae12-1be817f8cf50", + "type" : "MVEvents" + } + service: "threat-events" + result: + custom: + attributes: + agentguid: "a078a2e6-e490-4345-839e-7c1f8665a2b9" + analyzer: "ENDPATP_1070" + analyzerdetectionmethod: "Dynamic Application Containment" + analyzerhostname: "DESKTOP-TEST" + analyzeripv4: "10.10.10.10" + analyzeripv6: "/0:0:0:0:0:ffff:ffff:ffff" + analyzermac: "000000000a01" + analyzername: "Trellix Endpoint Security" + analyzerversion: "10.7.0" + autoguid: "5a23a888-8af1-41ce-9f6a-14150433704c" + detectedutc: "1726561344000" + extendedattributes: + EPExtendedEvent: + AttackVectorType: "Local System" + SourceAccessTime: 1726561343000 + SourceCreateTime: 1726328564000 + SourceFilePath: "C:\\Program Files\\Test" + SourceFileSize: 92672 + SourceModifyTime: 1726328621000 + SourceProcessHash: "2662decb9c421566ef5a73b977c56205" + TargetName: "test.exe" + TargetPath: "C:\\Program Files\\Test" + nodepath: "1\\2942564" + receivedutc: "1726561912739" + sourcefilepath: "C:\\Program Files\\Test" + sourceipv6: "/0:0:0:0:0:ffff:ffff:ffff" + sourceprocesshash: "2662decb9c421566ef5a73b977c56205" + sourceprocessname: "test.exe" + targetfilename: "C:\\Program Files\\Test\\test.exe" + targetipv6: "/0:0:0:0:0:ffff:0:0" + threatactiontaken: "Contained" + threatcategory: "'Process' class or access" + threateventid: 37275 + threathandled: true + threatname: "DAC:Contained" + threatseverity: "4" + threattype: "Dynamic Application Containment" + timestamp: "2024-09-17T08:31:52.739Z" + id: "502301bb-cc98-4708-ae12-1be817f8cf50" + links: + self: "/epo/v2/events/502301bb-cc98-4708-ae12-1be817f8cf50" + modulename: "adaptive-threat-protection" + network: + client: + ip: "10.10.10.10" + destination: + ip: "20.20.20.20" + severity: "Warning" + type: "MVEvents" + message: |- + { + "links" : { + "self" : "/epo/v2/events/502301bb-cc98-4708-ae12-1be817f8cf50" + }, + "attributes" : { + "detectedutc" : "1726561344000", + "analyzermac" : "000000000a01", + "receivedutc" : "1726561912739", + "sourceprocessname" : "test.exe", + "sourceipv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceipv4" : "10.10.10.10", + "analyzerdetectionmethod" : "Dynamic Application Containment", + "threatseverity" : "4", + "analyzer" : "ENDPATP_1070", + "nodepath" : "1\\2942564", + "threattype" : "IDS_THREAT_TYPE_VALUE_DACAP", + "threateventid" : 37275, + "timestamp" : "2024-09-17T08:31:52.739Z", + "analyzerversion" : "10.7.0", + "sourcefilepath" : "C:\\Program Files\\Test", + "agentguid" : "a078a2e6-e490-4345-839e-7c1f8665a2b9", + "targetfilename" : "C:\\Program Files\\Test\\test.exe", + "threatactiontaken" : "IDS_ACTION_CONTAINED", + "threatname" : "DAC:Contained", + "analyzername" : "Trellix Endpoint Security", + "threatcategory" : "hip.process", + "autoguid" : "5a23a888-8af1-41ce-9f6a-14150433704c", + "targetipv6" : "/0:0:0:0:0:ffff:0:0", + "analyzeripv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceprocesshash" : "2662decb9c421566ef5a73b977c56205", + "analyzeripv4" : "10.10.10.10", + "analyzerhostname" : "DESKTOP-TEST", + "targetipv4" : "20.20.20.20", + "extendedattributes" : { + "EPExtendedEvent" : { + "SourceFileSize" : 92672, + "SourceModifyTime" : 1726328621000, + "TargetPath" : "C:\\Program Files\\Test", + "SourceProcessHash" : "2662decb9c421566ef5a73b977c56205", + "AttackVectorType" : 4, + "SourceFilePath" : "C:\\Program Files\\Test", + "SourceCreateTime" : 1726328564000, + "TargetName" : "test.exe", + "SourceAccessTime" : 1726561343000 + } + }, + "threathandled" : true + }, + "id" : "502301bb-cc98-4708-ae12-1be817f8cf50", + "type" : "MVEvents" + } + service: "adaptive-threat-protection" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726561344000 + - + sample: |- + { + "links" : { + "self" : "/epo/v2/events/b34295d8-f1d0-4da5-b8b6-344fe0cf9923" + }, + "attributes" : { + "detectedutc" : "1726138800000", + "analyzermac" : "000000000a01", + "receivedutc" : "1726142214046", + "sourceipv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceipv4" : "10.10.10.10", + "threatseverity" : "6", + "analyzer" : "ENDP_WP_1070", + "nodepath" : "1\\2942564", + "threattype" : " ", + "threateventid" : 18600, + "timestamp" : "2024-09-12T11:56:54.046Z", + "analyzerversion" : "10.7.0", + "agentguid" : "a078a2e6-e490-4345-839e-7c1f8665a2b9", + "threatactiontaken" : "none", + "threatname" : " ", + "analyzername" : "Trellix Endpoint Security", + "sourceurl" : "reports.allowedSite", + "threatcategory" : "ops.informational.event", + "autoguid" : "9de8bc2c-27bd-4160-9edb-bfe0bf9d90eb", + "targetipv6" : "/0:0:0:0:0:ffff:0:0", + "analyzeripv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "analyzeripv4" : "10.10.10.10", + "sourceusername" : "TEST\\TEST", + "analyzerhostname" : "TEST", + "targetipv4" : "20.20.20.20" + }, + "id" : "b34295d8-f1d0-4da5-b8b6-344fe0cf9923", + "type" : "MVEvents" + } + service: "threat-events" + result: + custom: + attributes: + agentguid: "a078a2e6-e490-4345-839e-7c1f8665a2b9" + analyzer: "ENDP_WP_1070" + analyzerhostname: "TEST" + analyzeripv4: "10.10.10.10" + analyzeripv6: "/0:0:0:0:0:ffff:ffff:ffff" + analyzermac: "000000000a01" + analyzername: "Trellix Endpoint Security" + analyzerversion: "10.7.0" + autoguid: "9de8bc2c-27bd-4160-9edb-bfe0bf9d90eb" + detectedutc: "1726138800000" + nodepath: "1\\2942564" + receivedutc: "1726142214046" + sourceipv6: "/0:0:0:0:0:ffff:ffff:ffff" + sourceurl: "reports.allowedSite" + targetipv6: "/0:0:0:0:0:ffff:0:0" + threatactiontaken: "None" + threatcategory: "Informational event" + threateventid: 18600 + threatname: "N/A" + threatseverity: "6" + threattype: "N/A" + timestamp: "2024-09-12T11:56:54.046Z" + id: "b34295d8-f1d0-4da5-b8b6-344fe0cf9923" + links: + self: "/epo/v2/events/b34295d8-f1d0-4da5-b8b6-344fe0cf9923" + modulename: "web-protection" + network: + client: + ip: "10.10.10.10" + destination: + ip: "20.20.20.20" + severity: "Info" + type: "MVEvents" + usr: + name: "TEST\\TEST" + message: |- + { + "links" : { + "self" : "/epo/v2/events/b34295d8-f1d0-4da5-b8b6-344fe0cf9923" + }, + "attributes" : { + "detectedutc" : "1726138800000", + "analyzermac" : "000000000a01", + "receivedutc" : "1726142214046", + "sourceipv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "sourceipv4" : "10.10.10.10", + "threatseverity" : "6", + "analyzer" : "ENDP_WP_1070", + "nodepath" : "1\\2942564", + "threattype" : " ", + "threateventid" : 18600, + "timestamp" : "2024-09-12T11:56:54.046Z", + "analyzerversion" : "10.7.0", + "agentguid" : "a078a2e6-e490-4345-839e-7c1f8665a2b9", + "threatactiontaken" : "none", + "threatname" : " ", + "analyzername" : "Trellix Endpoint Security", + "sourceurl" : "reports.allowedSite", + "threatcategory" : "ops.informational.event", + "autoguid" : "9de8bc2c-27bd-4160-9edb-bfe0bf9d90eb", + "targetipv6" : "/0:0:0:0:0:ffff:0:0", + "analyzeripv6" : "/0:0:0:0:0:ffff:ffff:ffff", + "analyzeripv4" : "10.10.10.10", + "sourceusername" : "TEST\\TEST", + "analyzerhostname" : "TEST", + "targetipv4" : "20.20.20.20" + }, + "id" : "b34295d8-f1d0-4da5-b8b6-344fe0cf9923", + "type" : "MVEvents" + } + service: "web-protection" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1726138800000 \ No newline at end of file diff --git a/trellix_endpoint_security/assets/trellix_endpoint_security.svg b/trellix_endpoint_security/assets/trellix_endpoint_security.svg new file mode 100644 index 0000000000000..9f3b20b261bc5 --- /dev/null +++ b/trellix_endpoint_security/assets/trellix_endpoint_security.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/trellix_endpoint_security/images/trellix_endpoint_security_threat_events.png b/trellix_endpoint_security/images/trellix_endpoint_security_threat_events.png new file mode 100644 index 0000000000000..6f2cb7d7c0187 Binary files /dev/null and b/trellix_endpoint_security/images/trellix_endpoint_security_threat_events.png differ diff --git a/trellix_endpoint_security/manifest.json b/trellix_endpoint_security/manifest.json index 37bef2693715a..eefd51cefab6b 100644 --- a/trellix_endpoint_security/manifest.json +++ b/trellix_endpoint_security/manifest.json @@ -10,7 +10,13 @@ "changelog": "CHANGELOG.md", "description": "Gain insights into Trellix Endpoint Security logs", "title": "Trellix Endpoint Security (ENS)", - "media": [], + "media": [ + { + "caption": "Trellix Endpoint Security (ENS) - Threat Events", + "image_url": "images/trellix_endpoint_security_threat_events.png", + "media_type": "image" + } + ], "classifier_tags": [ "Category::Log Collection", "Category::Security", @@ -29,6 +35,12 @@ "service_checks": { "metadata_path": "assets/service_checks.json" } + }, + "dashboards": { + "Trellix Endpoint Security (ENS) - Threat Events": "assets/dashboards/trellix_endpoint_security_threat_events.json" + }, + "logs": { + "source": "trellix-endpoint-security" } }, "author": {