Documentation Center
AlienVault® USM Anywhere™

Trend Micro Deep Security

When you configure Trend Micro Deep Security to send log data to USM Anywhere, you can use the Trend Micro Deep Security plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Trend Micro
Device Type Endpoint Security
Connection Type Syslog

Integrating Trend Micro Deep Security

Before you configure the Trend Micro Deep Security integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Trend Micro Deep Security to send log data to the USM Anywhere Sensor

The following steps configure the Deep Security Manager so that all managed computers use Syslog to send log data to the USM Anywhere.

First you need to configure Deep Security system event log forwarding to forward Deep Security system events to the USM Anywhere Sensor. Then, you must add the Syslog source to your Deep Security Policy configuration.

  1. In the Deep Security Manager program, select Administration > System Settings > SIEM.

  2. Configure SIEM:
    • In the System Event Notification pane, select the Forward System Events to a remote computer (via Syslog) check box.
    • Set the Hostname or IP address to which events should be sent. This is the hostname or IP address of the USM Anywhere sensor.
    • Specify the UDP port (514), where events should be sent.
    • Select Local 0 as the Syslog Facility.
    • Select Common Event Format as the Syslog format.
  3. Save your changes.

Now you must configure and add the Syslog source to your Policy configuration. Set the integration details at the top (root/base) policy as described in the following commands:

  1. In the Deep Security Manager program, select Settings > SIEM.

  2. In the upper Anti-Malware Event Forwarding pane:
    • Select the Forward Events To: option and then select the Relay via the Manager option.
    • Set the hostname or IP address to which events should be sent. This is the hostname or IP address of the USM Anywhere sensor.
    • Specify the UDP port (514), where events should be sent.
    • Select Local 1 as the Syslog Facility.
    • Select Common Event Format as the Syslog Format.
  3. In the Web Reputation Event Forwarding pane:
    • Select the Forward Events To: option and then select the Relay via the Manager option.
    • Set the hostname or IP address to which events should be sent. This is the hostname or IP address of the USM Anywhere sensor
    • Specify the UDP port (514), where events should be sent.
    • Select Local 1 as the Syslog Facility.
    • Select Common Event Format as the Syslog Format.
  4. Click Save.

Plugin Enablement

The Trend Micro Deep Security plugin will automatically process all messages when the raw message contains "Trend Micro|Deep Security (Agent|Manager)".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • base_event_count
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_10
  • customfield_11
  • customfield_2
  • customfield_4
  • customfield_5
  • customfield_6
  • customfield_7
  • customfield_8
  • customfield_9
  • destination_address
  • destination_fqdn
  • destination_hostname
  • destination_mac
  • destination_port
  • destination_username
  • device_custom_number_2
  • device_custom_number_2_label
  • device_custom_number_3
  • device_custom_number_3_label
  • event_action
  • event_description
  • event_name
  • event_severity
  • file_name
  • file_path
  • packet_data
  • plugin_device
  • plugin_device_type
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • request_url
  • source_address
  • source_hostname
  • source_mac
  • source_port
  • source_username
  • transport_protocol

Additional Resources and Troubleshooting

http://docs.trendmicro.com/all/ent/ds/v9.5/en-us/Deep_Security_95_Admin_Guide_EN.pdf

For troubleshooting, refer to the vendor documentation:

https://success.trendmicro.com/solution/1111440-troubleshooting-guidelines-for-common-deep-security-issues