When you configure Trend Micro Deep Security to send log data to USM Anywhere, you can use the Trend Micro Deep Security plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
|Device Type||Endpoint Security|
Integrating Trend Micro Deep Security
Trend Micro Deep Security records system events and security events. The security events are generated by the Deep Security Agents installed on the computers in your network. There are two ways to forward these events to USM Anywhere
- directly from the agent
- through the Deep Security Manager
The correct way to forward security events depends on which Deep Security option your company implements: in-the-cloud or on-premises.
If your Deep Security Manager runs in the cloud (outside of your network), you must forward the events directly from the agents because the USM Anywhere Sensor resides in your network without a public IP address. Follow the Trend Micro documentation, Forward security events directly from agent computers, to set up the event forwarding. When creating a new syslog configuration, enter the
If your Deep Security Manager runs on premises, you can choose either option. To forward events through the Deep Security Manager, follow the Trend Micro documentation, Forward security events from the agent computers via the Deep Security Manager.
The Trend Micro Deep Security plugin automatically processes all messages when the raw message contains "Trend Micro|Deep Security (Agent|Manager)".
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.