AlienVault® USM Anywhere™

Trend Micro Deep Security

When you configure Trend Micro Deep Security to send log data to USM Anywhere, you can use the Trend Micro Deep Security plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Trend Micro
Device Type Endpoint Security
Connection Type Syslog

Integrating Trend Micro Deep Security

Trend Micro Deep Security records system events and security events. The security events are generated by the Deep Security Agents installed on the computers in your network. There are two ways to forward these events to USM Anywhere

  • directly from the agent
  • through the Deep Security Manager

The correct way to forward security events depends on which Deep Security option your company implements: in-the-cloud or on-premises.

If your Deep Security Manager runs in the cloud (outside of your network), you must forward the events directly from the agents because the USM Anywhere Sensor resides in your network without a public IP address. Follow the Trend Micro documentation, Forward security events directly from agent computers, to set up the event forwarding. When creating a new syslog configuration, enter the (internal) IP address of the USM Anywhere Sensor as the server name and UDP 514 as the server port.

If your Deep Security Manager runs on premises, you can choose either option. To forward events through the Deep Security Manager, follow the Trend Micro documentation, Forward security events from the agent computers via the Deep Security Manager. To use TLS at port 6514, download the certificate from USM Anywhere or upload your own certificate to USM Anywhere. For instructions, see Configure Syslog on Your Data Sources.

Plugin Enablement

The Trend Micro Deep Security plugin automatically processes all messages when the raw message contains "Trend Micro|Deep Security (Agent|Manager)".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • base_event_count
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_10
  • customfield_11
  • customfield_2
  • customfield_4
  • customfield_5
  • customfield_6
  • customfield_7
  • customfield_8
  • customfield_9
  • destination_address
  • destination_fqdn
  • destination_hostname
  • destination_mac
  • destination_port
  • destination_username
  • device_custom_number_2
  • device_custom_number_2_label
  • device_custom_number_3
  • device_custom_number_3_label
  • event_action
  • event_description
  • event_name
  • event_severity
  • file_name
  • file_path
  • packet_data
  • plugin_device
  • plugin_device_type
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • request_url
  • source_address
  • source_hostname
  • source_mac
  • source_port
  • source_username
  • transport_protocol

Additional Resources and Troubleshooting