From 20b34a559a89627401b74e550bb97eac553003c7 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 12 Sep 2023 12:58:31 +0200 Subject: [PATCH 1/2] chore(Trend Micro): group Trend Micro documentation in a directory --- .../endpoint/{ => trend_micro}/trend_micro_deep_security.md | 0 mkdocs.yml | 3 ++- 2 files changed, 2 insertions(+), 1 deletion(-) rename docs/xdr/features/collect/integrations/endpoint/{ => trend_micro}/trend_micro_deep_security.md (100%) diff --git a/docs/xdr/features/collect/integrations/endpoint/trend_micro_deep_security.md b/docs/xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md similarity index 100% rename from docs/xdr/features/collect/integrations/endpoint/trend_micro_deep_security.md rename to docs/xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md diff --git a/mkdocs.yml b/mkdocs.yml index 203354a2fc..73940cf937 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -165,7 +165,8 @@ nav: - Symantec/Broadcom Endpoint Security: xdr/features/collect/integrations/endpoint/symantec_epp.md - Tanium: xdr/features/collect/integrations/endpoint/tanium.md - TEHTRIS EDR: xdr/features/collect/integrations/endpoint/tehtris_edr.md - - Trend Micro Cloud One / Deep Security: xdr/features/collect/integrations/endpoint/trend_micro_deep_security.md + - Trend Micro: + - Trend Micro Cloud One / Deep Security: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md - Trellix ePO: xdr/features/collect/integrations/endpoint/trellix_epo.md - VMware ESXi: xdr/features/collect/integrations/endpoint/vmware/vmware_esxi.md - VMware VCenter: xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md From 28e1fd9360d36f5bbf3c5abcb6c40a7d3f4db47d Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 12 Sep 2023 13:18:54 +0200 Subject: [PATCH 2/2] doc(Trend Micro): add documentation about Trend Micro Apex One --- .../trend_micro/trend_micro_apex_one.md | 85 +++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 86 insertions(+) create mode 100644 docs/xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md diff --git a/docs/xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md b/docs/xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md new file mode 100644 index 0000000000..8401e1c659 --- /dev/null +++ b/docs/xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md @@ -0,0 +1,85 @@ +uuid: 064f7e8b-ce5f-474d-802e-e88fe2193365 +name: Trend Micro Apex One +type: intake + +## Overview + +Trend Micro Apex One is Endpoint Detection and Response (EDR) solution that detects and protects your endpoints against threats. + +This integration supports the following log types: + +- Application Control violations +- Attack Discovery detections +- Behavior Monitoring detections +- C&C Callback +- Content Violation +- Data Loss Prevention +- Device Control violations +- Suspicious File detections +- Network Content Inspection +- Virus/Malware detections +- Spyware/Grayware detections +- Predictive Machine Learning detections +- Virtual Analyzer detections +- Web Violation +- Engine Update Status +- Pattern Update Status + + +!!! warning + This format is still in beta + +{!_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md!} + +## Configure + +In this guide, you will configure your Apex Central to forward detection through syslog. + +### Prerequisites + +An internal syslog concentrator is required to collect and forward events to Sekoia.io. + +### Enable Syslog forwarding + +To enable syslog forwarding: + +1. Log to Apex Central +2. Go to `Administration > Settings > Syslog Settings` +3. Select the checkbox `Enable syslog forwarding` +4. Provide the IP, listening port and the protocol of our syslog concentrator +5. Select `CEF` as the log format +6. Configure the frequency of the log forwarding +7. Select the log types to forward according to the list of supported log types: + - Application Control violations + - Attack Discovery detections + - Behavior Monitoring detections + - C&C Callback + - Content Violation + - Data Loss Prevention + - Device Control violations + - Suspicious File detections + - Network Content Inspection + - Virus/Malware detections + - Spyware/Grayware detections + - Predictive Machine Learning detections + - Virtual Analyzer detections + - Web Violation + - Engine Update Status + - Pattern Update Status +8. Click `Test Connection` to validate the configuration +9. Click `Save` + +## Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `Trend Micro Apex One`. + +## Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + +## Further Readings + +- [Trend Micro Apex One - Configure syslog forwarding](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) +- [Trend Micro Apex One - Supported Log Types and Formats](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding/syslog-log-types-for.aspx) diff --git a/mkdocs.yml b/mkdocs.yml index 73940cf937..0024784f03 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -166,6 +166,7 @@ nav: - Tanium: xdr/features/collect/integrations/endpoint/tanium.md - TEHTRIS EDR: xdr/features/collect/integrations/endpoint/tehtris_edr.md - Trend Micro: + - Trend Micro Apex One: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md - Trend Micro Cloud One / Deep Security: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md - Trellix ePO: xdr/features/collect/integrations/endpoint/trellix_epo.md - VMware ESXi: xdr/features/collect/integrations/endpoint/vmware/vmware_esxi.md