Documentation Center
AlienVault® USM Appliance™

Trend Micro Deep Security

When you configure Trend Micro Deep Security to send log data to USM Appliance, you can use the Trend Micro Deep Security Agent plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Trend Micro
Device Type Endpoint Security
Connection Type Syslog
Data Source Name deepsec-agent
Data Source ID 1862

Integrating Trend Micro Deep Security

Before you configure the Trend Micro Deep Security integration, you must have the IP Address of the USM Appliance Sensor.

To configure Trend Micro Deep Security to send log data to the USM Appliance Sensor

The following steps configure the Deep Security Manager so that all managed computers use Syslog to send log data to the USM Appliance.

First you need to configure Deep Security system event log forwarding to forward Deep Security system events to the USM Appliance Sensor. Then, you must add the Syslog source to your Deep Security Policy configuration.

  1. In the Deep Security Manager program, select Administration > System Settings > SIEM.

  2. Configure SIEM:
    • In the System Event Notification pane, select the Forward System Events to a remote computer (via Syslog) check box.
    • Set the Hostname or IP address to which events should be sent. This is the hostname or IP address of the USM Appliance sensor.
    • Specify the UDP port (514), where events should be sent.
    • Select Local 0 as the Syslog Facility.
    • Select Common Event Format as the Syslog format.
  3. Save your changes.

Now you must configure and add the Syslog source to your Policy configuration. Set the integration details at the top (root/base) policy as described in the following commands:

  1. In the Deep Security Manager program, select Settings > SIEM.

  2. In the upper Anti-Malware Event Forwarding pane:
    • Select the Forward Events To: option and then select the Relay via the Manager option.
    • Set the hostname or IP address to which events should be sent. This is the hostname or IP address of the USM Appliance sensor.
    • Specify the UDP port (514), where events should be sent.
    • Select Local 1 as the Syslog Facility.
    • Select Common Event Format as the Syslog Format.
  3. In the Web Reputation Event Forwarding pane:
    • Select the Forward Events To: option and then select the Relay via the Manager option.
    • Set the hostname or IP address to which events should be sent. This is the hostname or IP address of the USM Appliance sensor
    • Specify the UDP port (514), where events should be sent.
    • Select Local 1 as the Syslog Facility.
    • Select Common Event Format as the Syslog Format.
  4. Click Save.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://docs.trendmicro.com/all/ent/ds/v9.5/en-us/Deep_Security_95_Admin_Guide_EN.pdf

For troubleshooting, refer to the vendor documentation:

https://success.trendmicro.com/solution/1111440-troubleshooting-guidelines-for-common-deep-security-issues