AlienVault® USM Anywhere™

Trend Micro Control Manager

When you configure Trend Micro Control Manager integration to send log data to USM Anywhere, you can use the Trend Micro Control Manager plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Trend Micro
Device type Antivirus
Connection type syslog

Trend Micro Control Manager Integration

Before you configure the integration, you must have the IP address of the USM Anywhere Sensor. You can use either the Trend Micro Control Manager directly or the Trend Micro LogForwarder tool for the configuration.

Trend Micro Control Manager

To configure Trend Micro Control Manager to send log data to USM Anywhere

  1. Log in to Trend Control Manager.
  2. Go to Notifications > Notification Method Settings and configure syslog settings. See Trend Micro Online Help on Configuring Syslog Settings for instructions.

  3. In the Server IP address field, enter the IP address of your USM Anywhere Sensor.

    USM Anywhere listens for syslog at UDP port 514, TCP port 601, or TLS/TCP port 6514.

    If using TLS, you need to download the certificate from USM Anywhere or upload your own certificate to USM Anywhere. See Configure Syslog on Your Data Sources for instructions.

Trend Micro LogForwarder Tool (LogForwarder.exe)

To configure LogForwarder.exe to send log data to USM Anywhere

  1. Go to the Trend Micro Control Manager installation directory and start LogForwarder.exe as the administrator.
  2. Update settings in the Trend Micro LogForwarder console. See Trend Micro Online Help on Configuring LogForwarder Settings for instructions.

  3. In the IP address field, enter the IP address of your USM Anywhere Sensor.
  4. In the Port field, enter 514.

    Trend Micro LogForwarder only supports UDP.

Plugin Enablement

The Trend Micro Control Manager plugin automatically processes all messages whose syslog tag matches the value "TMCM”.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome

  • destination_address

  • destination_hostname

  • event_name

  • event_outcome

  • file_name

  • file_path

  • malware_family

  • rep_device_hostname

  • rep_device_model

  • rep_device_rule_id

  • source_address

  • source_hostname

  • source_ntdomain

  • source_username

  • timestamp_occurred

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://success.trendmicro.com/product-support/control-manager