Documentation Center
AlienVault® USM Anywhere™

Trend Micro Control Manager

When you configure Trend Micro Control Manager integration to send log data to USM Anywhere, you can use the Trend Micro Control Manager plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Trend Micro
Device type Antivirus
Connection type syslog
Vendor link See the Trend Micro Control Manager 6.0 Service Pack 3 Administrator's Guide on the vendor's website.

Trend Micro Control Manager Integration

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor. You can use either the Trend Micro Control Manager console or the CLI.

Web Console

To configure Trend Micro Control Manager to send log data to USM Anywhere

  1. Log into the Trend Micro Control Manager console.
  2. Go to Administration > Event Center > General2 Event Settings.
  3. Go to the Setting Syslog section and type the IP address of your USM Anywhere Sensor and port 514.
  4. Select the facility for syslog from the list.

  5. Click Save.

CLI

To configure Trend Micro Control Manager to send log data to USM Anywhere

  1. Go to the Control Manager root folder at either C:\Program Files\Trend Micro\Control Manager or C:\Program Files (x86)\Trend Micro\Control Manager.

  2. Launch DataExportTool.exe.

  3. Configure log receiver settings:

    1. Severity = Default: Notice

    2. IP address = USM Anywhere sensor

    3. Port = 514

    4. Facility= Syslog facility. Default: Local0.

  4. Configure log forwarding settings:

    1. Frequency = How often Syslog Forwarder should query Control Manager for logs. Default: 12 hours.

    2. Logs to forward = Log types. Default: no selection.

    3. Format = CEF or Control Manager format.

  5. Click Start.

Plugin Enablement

The Trend Micro Control Manager plugin automatically processes all messages whose syslog tag matches the value "TMCM”.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome

  • destination_address

  • destination_hostname

  • event_name

  • event_outcome

  • file_name

  • file_path

  • malware_family

  • rep_device_hostname

  • rep_device_model

  • rep_device_rule_id

  • source_address

  • source_hostname

  • source_ntdomain

  • source_username

  • timestamp_occurred

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://success.trendmicro.com/product-support/control-manager