Documentation Center
AlienVault® USM Appliance™

Trend Micro Deep Security

When you configure Trend Micro Deep Security to send log data to USM Appliance, you can use the Trend Micro Deep Security Agent plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Trend Micro
Device Type Endpoint Security
Connection Type Syslog
Data Source Name deepsec-agent
Data Source ID 1862

Integrating Trend Micro Deep Security

Trend Micro Deep Security records system events and security events. The security events are generated by the Deep Security Agents installed on the computers in your network. There are two ways to forward these events to USM Appliance

  • directly from the agent
  • through the Deep Security Manager

The correct way to forward security events depends on which Deep Security option your company implements: in-the-cloud or on-premises.

If your Deep Security Manager runs in the cloud (outside of your network), you must forward the events directly from the agents because the USM Appliance Sensor resides in your network without a public IP address. Follow the Trend Micro documentation, Forward security events directly from agent computers, to set up the event forwarding. When creating a new syslog configuration, enter the IP address of the USM Appliance Sensor as the server name and UDP 514 as the server port.

If your Deep Security Manager runs on premises, you can choose either option. To forward events through the Deep Security Manager, follow the Trend Micro documentation, Forward security events from the agent computers via the Deep Security Manager.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://docs.trendmicro.com/all/ent/ds/v9.5/en-us/Deep_Security_95_Admin_Guide_EN.pdf

For troubleshooting, refer to the vendor documentation:

https://success.trendmicro.com/solution/1111440-troubleshooting-guidelines-for-common-deep-security-issues