Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Trend Micro Apex Central

 

The JSA DSM for Trend Micro Apex Central collects Syslog or TLS syslog events from a Trend Micro Apex Central device.

integrate Trend Micro Apex Central with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads on your JSA Console:
    • DSM Common RPM

    • Trend Micro Apex Central DSM RPM

  2. Configure your Trend Micro Apex Central device to send events to JSA. For more information, see Configuring Trend Micro Apex Central to communicate with JSA.
  3. If JSA does not automatically detect the log source, add a Trend Micro Apex Central log source on the JSA Console.

Trend Micro Apex Central DSM Specifications

When you configure the Trend Micro Apex Central, understanding the specifications for the Trend Micro Apex Central DSM can help ensure a successful integration. For example, knowing what the supported version of Trend Micro Apex Central is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Trend Micro Apex Central DSM.

Table 1: Trend Micro Apex Central DSM Specifications

Specification

Value

Manufacturer

Trend Micro

DSM name

Trend Micro Apex Central

RPM file name

DSM-TrendMicroApexCentral-JSA_versionbuild_ number.noarch.rpm

Supported version

1

Protocol

Syslog, TLS syslog

Event format

CEF

Recorded event types

Attack discovery detection logs

Behavior monitoring logs

C&C callback logs

Content security logs

Data loss prevention logs

Device access control logs

Endpoint application control logs

Engine update status log

Network content inspection logs

Pattern Update Status Logs

Predictive machine learning logs

Sandbox detection logs

Spyware/Grayware logs

Suspicious file logs

Virus/Malware logs

Web security logs

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Trend Micro Apex Central website

Configuring Trend Micro Apex Central to communicate with JSA

Configure your Trend Micro Apex Central device to forward Common Event Format (CEF) events to JSA.

  1. Log in to your Apex Central console as Administrator.
  2. Configure the syslog settings.
    1. Click Detections > Notifications > Notifications Method Settings.

    2. In the Syslog Settings section, configure the following parameters:

      Table 2: Syslog Settings Parameters

      Parameter

      Value

      Server IP address

      The IPv4 or IPv6 address of your syslog server.

      Port

      The port number of your syslog server.

      Facility

      Select the facility code.

    3. Click Save.

  3. Enable syslog forwarding.
    1. Click Administration > Settings > Syslog Settings.

    2. Select the Enable syslog forwarding checkbox.

    3. To send events to JSA, configure the following syslog forwarding parameters:

      Table 3: Syslog Forwarding Parameters

      Parameter

      Value

      Server address

      The IP address of your JSA Console or Event Collector.

      Port

      • SSL/TLS - 6514 (default port)

      • TCP - 601

      • UDP - 514

      Protocol

      • SSL/TLS

      • TCP

      • UDP

      Format

      CEF

      Log type

      Select Security logs from the list, and then select the types of events that you want to forward to JSA.

    4. To test the connection, click Test Connection.

    5. Click Save.

Syslog Log Source Parameters for Trend Micro Apex Central

If JSA does not automatically detect the log source, add a Trend Micro Apex Central log source on the JSA Console by using the Syslog protocol.

When you use the Syslog protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect Syslog events from Trend Micro Apex Central:

Table 4: Syslog Log Source Parameters for the Trend Micro Apex Central DSM

Parameter

Value

Log Source type

Trend Micro Apex Central

Protocol Configuration

Syslog

Log Source Identifier

The IP address or host name for the log source.

TLS Syslog Log Source Parameters for Trend Micro Apex Central

If JSA does not automatically detect the log source, add a Trend Micro Apex Central log source on the JSA Console by using the TLS syslog protocol.

When you use the TLS syslog protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect TLS syslog events from Trend Micro Apex Central:

Table 5: TLS Syslog Log Source Parameters for the Trend Micro Apex Central DSM

Parameter

Value

Log Source type

Trend Micro Apex Central

Protocol Configuration

TLS Syslog

Log Source Identifier

A unique name to identify the log source.

TLS Protocols

Select the version of TLS that is installed on the client.

Trend Micro Apex Central Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Trend Micro Apex Central sample messages when you use the TLS syslog protocol

Sample 1: The following sample event message shows that a call back from source 10.201.86.187 to destination 10.201.86.195 is detected and blocked.

Table 6: JSA Field Names and Highlighted Values in the Event Payload

JSA field name

Highlighted values in the event payload

Event ID

CnC:Block

Source IP

10.201.86.187

Destination IP

10.201.86.195

Device Time

Oct 11 2017 06:34:09 GMT+00:00

Sample 2: The following sample event message shows that a suspicious connection has occurred.

JSA field name

Highlighted values in the event payload

Event ID

NCIE:Pass

Source IP

10.201.86.152

Source Port

54594

Destination IP

10.69.81.64

Destination Port

80

Device Time

Oct 11 2017 06:34:06 GMT+00:00