Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Trend Micro Deep Discovery Director

 

The JSA DSM for Trend Micro Deep Discovery Director collects LEEF formatted events from a Trend Micro Deep Discovery Director device.

To integrate Trend Micro Deep Discovery Director with JSA, complete the following steps:

  1. If automatic updates are not enabled, download the most recent versions of the following RPMs:

    • Trend Micro Deep Discovery Inspector DSM RPM

    • Trend Micro Deep Discovery Director DSM RPM

  2. Configure your Trend Micro Deep Discovery Director device to send events to JSA.

  3. If JSA does not automatically detect Trend Micro Deep Discovery Director as a log source, create a Trend Micro Deep Discovery Inspector log source on the JSA Console. The following table describes the parameters that require specific values to collect Syslog events from Trend Micro Deep Discovery Director:

    Table 1: Trend Micro Deep Discovery Director Log Source Parameters

    Parameter

    Value

    Log Source type

    Trend Micro Deep Discovery Director

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IPv4 address or host name that identifies the log source. If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Trend Micro Deep Discovery Director DSM Specifications

The following table identifies the specifications for the Trend Micro Deep Discovery Director DSM:

Table 2: Trend Micro Deep Discovery Director DSM specifications

Specification

Value

Manufacturer

Trend Micro

DSM name

Trend Micro Deep Discovery Director

RPM file name

DSM-TrendMicroDeepDiscoveryDirector-

JSA_version-build_number.noarch.rpm

Supported versions

V3.0

Protocol

Syslog

Event format

LEEF

JSA recorded event types

Trend Micro Deep Discovery Inspector Events

Automatically discovered?

Yes

Included identity?

No

Includes custom properties?

No

More information

Trend Micro Deep Discovery Director product information (

Configuring Trend Micro Deep Discovery Director to communicate with JSA

To collect events from Trend Micro Deep Discovery Director, configure your Trend Micro Deep Discovery Director device to forward syslog events to JSA.

  1. Log in to your Trend Micro Deep Discovery Director device.
  2. Click Administration > Integrated Products/Services >Syslog.
  3. Click Add, and then select Enabled.
  4. Configure the parameters in the following table.

    Table 3: Trend Micro Deep Discovery Director

    Parameter

    Description

    Profile name

    The name for the Deep Discovery Director syslog server.

    Server address

    The IP address of your JSA Console or Event Collector

    Port

    • SSL/TLS - 6514 (default port)

    • TCP - 601

    • UDP - 514

    Protocol

    • SSL/TLS

    • TCP

    • UDP

    Log format

    LEEF

    Scope

    The events that you want to forward o JSA

  5. Click Save.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides sample event messages when using the Syslog protocol for the Trend Micro Deep Discovery Director DSM:

Table 4: Trend Micro Deep Discovery Director sample message supported by Trend Micro Deep Discovery Director

Event name

Low-level category

Sample log message

DENYLIST _CHANGE

Successful Configuration Modification

Oct 24 12:37:32 ddd35-1.ddxqa.com LEEF:1.0|Trend Micro|Deep Discovery Director|3.5.0.1174|DENYLIST _CHANGE|devTime=Oct 24 2018 12:37:32 GMT+08:00 devTimeFormat=MMM dd yyyy HH:mm:ss z sev=3 dvc=198.51.100.88 dvchost=ddd35 -1.ddxqa.com deviceMacAddress=00-00-5E-00-5 3-00 deviceGUID=C4AC760E-8721-4B46

-B966-47B D419376D8 end=Jan 19 2038 11:14:07 GMT+08:0 0 act=Add type=Deny List IP/Port dst=198.51.100.55 deviceExternalRiskType=High pComp=UDSO

SECURITY _RISK_ DETECTION

Potential Misc Exploit

<156>LEEF:1.0|Trend Micro|Deep Discovery Director

|2.0.0.1129|SECURITY_RISK_DETECTION| Origin=Inspector devTimeFormat=MMM dd yyyy HH:mm:ss z ptype=IDS dvc=198.51.10065 device MacAddress=00-00-5E-00-53-00 dvchost=localhost

deviceGUID=

E77B0BE4474D-

4413AF2F-

752E-5810-1B11 devTime=

May 25 2017 05:59:53 GMT+00:00 sev=8 origin=Inspector protoGroup=SQL proto=UDP vLAN Id=4095 deviceDirection=1 dhost=hit-nxdomain.o pendns.com dst=198.51.100.9 dstPort=1207 dstMAC =00:00:0c:07:ac:0 shost=198.51.100.22 src=198. 55.100.7 srcPort=1060 srcMAC=00:00:0c:07:ac:0 malName=OPS_HTTP_SASFIS_REQUEST malType=FRAUD sAttackPhase=Data Exfiltration fname=controller. php fileType=458757 fsize=520704 ruleId=328 msg =WEMON - HTTP (Request) deviceRiskConfidenceLevel =1 duser=username@example.com suser=username@ex ample.com mailMsgSubject=Mail Subject botCommand =msblast.exe botUrl=0005 channelName=#Infected chatUserName=fhkvmxya url=http://1.alisiosanguer a.com.cn/cgi-bin/forms.cgi requestClientApplicat ion=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) pComp=VSAPI riskType=0 com pressedFileName=test_inarc mitigationTaskId=48b 3d717-f30f-4890-8627-50bf75fbb6aa srcGroup=Defa ult srcZone=1 dstGroup=Default dstZone=1 detect ionType=2 act=not blocked threatType=1 interest edIp=198.51.100.35 peerIp=198.51.100.8 fileHash =

F1C9FCF4B2F74E8EE53B

6C006A4977F798A4D872

sUser1 =srcusername1 sUser1LoginTime=Mar 09 2017 12:34: 56 GMT+00:00 sUser2=srcusername2 sUser2LoginTime =Mar 09 2017 12:34:56 GMT+00:00 sUser3=srcuserna me3 sUser3LoginTime=Mar 09 2017 12:34:56 GMT+00: 00 dUser1=dstusername1 dUser1LoginTime=Mar 09 20 17 12:34:56 GMT+00:00 dUser2=dstusername2 dUser 2LoginTime=Mar 09 2017 12:34:56 GMT+00:00 dUser 3=dstusername3 dUser3LoginTime=Mar 09 2017 12: 34:56 GMT+00:00 suid=TsGh{USA-XP}803469 * 0 : (null) hostName=datingtipstricks.info cnt=4 sOS Name=Windows dOSName=Windows aggregatedCnt=1 ccc aDestinationFormat=URL cccaDetectionSource=RELE VANCE_RULE cccaRiskLevel=1 cccaDestination=xili .zerolost.org cccaDetection=1 evtCat=Malware ev tSubCat=Grayware aptRelated=1 hackerGroup=defau lt hackingCampaign=IXESHE malFamily=ZEUS pAtta ckPhase=0 oldFileSize=65530 oldFileType=15073 28

oldFile

Hash=5A272B7441328E0

9704B6D7EABDBD5

1B8858FDE4 oldFileName=attachment

Port

  • SSL/TLS - 6514 (default port)

  • TCP - 601

  • UDP - 514

Protocol

  • SSL/TLS

  • TCP

  • UDP

Log format

LEEF

Scope

The events that you want to forward o JSA