Trend Micro Deep Security
The JSA DSM for Trend Micro Deep Security can collect logs from your Trend Micro Deep Security server.
The following table identifies the specifications for the Trend Micro Deep Security DSM:
Specification |
Value |
---|---|
Manufacturer |
Trend Micro |
DSM name |
Trend Micro Deep Security |
RPM file name |
DSM-TrendMicroDeepSecurity- JSA_version-build_number.noarch.rpm |
Supported versions |
9.6.1532+ V9.6.1532 to V12.0 |
Event format |
Log Event Extended Format |
Recorded event types |
Anti-Malware Deep Security Firewall Integrity Monitor Intrusion Prevention Log Inspection System Web Reputation |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Trend Micro website (https://www.trendmicro.com/us/) |
To integrate Trend Micro Deep Security with JSA, complete the following steps:
-
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA Console:
-
Trend Micro Deep Security DSM RPM
-
DSMCommon RPM
-
Configure your Trend Micro Deep Security device to send syslog events to JSA.
If JSA does not automatically detect the log source, add a Trend Micro Deep Security DSM log source on the JSA Console. The following table describes the parameters that require specific values for Trend Micro Deep Security DSM event collection:
Table 2: Trend Micro Deep Security DSM Log Source Parameters Parameter
Value
Log Source type
Trend Micro Deep Security
Protocol Configuration
Syslog
Configuring Trend Micro Deep Security to Communicate with JSA
To collect all events from Trend Micro Deep Security, you must specify JSA as the Syslog server and configure the Syslog format on your Trend Micro Deep Security device.
Ensure that Deep Security Manager is installed and configured on your Trend Micro Deep Security Device.
Click Administration >System Settings >SIEM .
From the System Event Notification (from the Manager) pane in the Manager section, enable the Forward System Events to remote computer (via Syslog) option.
Type the host name or the IP address of the JSA system.
Type 514 for the UDP port.
Select the Syslog Facility that you want to use.
Select LEEF for the Syslog Format.
Note:Trend Micro Deep Security sends events only in LEEF format from the Deep Security Manager. If you select the Direct forward option on the SIEM tab, you cannot select Log Event Extended Format 2.0 for the Syslog Format.
Trend Micro Deep Security Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
Trend Micro Deep Security sample message when you use the Syslog protocol
<>Jul 14 01:32:31 trendmicro.deepsecurity.test
LEEF:2.0|Trend Micro|Deep Security Mana ger|11.0.221|851|cat=System
name=Reconnaissance Detected: Network or Port Scan desc=The A gent/Appliance
detected an attempt to scan a computer or a network. Check the Agent/Appliance
Events to see the details of the scan. sev=6 src=192.168.187.196 usrName=qradar
targe t=testTarget6 msg=The Agent/Appliance detected an attempt to
scan a computer or a network. Chec k the Agent/Appliance Events to
see the details of the scan. TrendMicroDsTenant=Primary T rendMicroDsTenantId=0