Overview

Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from Deep Security via syslog server.

Data Streams

This integration supports deep_security data stream. See more details from Deep Security logging documentation here.

Requirements

Elastic Agent is required to ingest data from Deep Security. For more information, refer to the link here.

Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

The minimum kibana.version required is 8.11.0.

This integration has been tested against Deep Security 20. Please note if you have a Trend Micro Vision One XDR license, we recommend using the Vision One integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see here.

Setup

Follow the setup guide to forward deep security events to a syslog server.

Enabling the integration in Elastic:

1. In Kibana go to Management > Integrations
2. In "Search for integrations" search bar, type Trend Micro.
3. Click on the "Trend Micro" integration from the search results.
4. Click on the "Add Trend Micro" button to add the integration.
5. Add all the required integration configuration parameters according to the enabled input type.
6. Click on "Save and Continue" to save the integration.

Logs

Deep Security Logs

Deep Security logs collect the trendmicro deep security logs.

An example event for deep_security looks as following:

{
    "@timestamp": "2020-09-21T07:21:11.000Z",
    "agent": {
        "ephemeral_id": "2ea89e49-a391-4415-a8c4-c0ad743e691b",
        "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.11.0"
    },
    "data_stream": {
        "dataset": "trendmicro.deep_security",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc",
        "snapshot": false,
        "version": "8.11.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "code": "5000000",
        "dataset": "trendmicro.deep_security",
        "ingested": "2024-03-20T09:48:02Z",
        "kind": "event",
        "original": "194 <86>2020-09-21T13:51:11+06:30 DeepSec Logs CEF:0|Trend Micro|Deep Security Agent|10.2.229|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin",
        "severity": 5,
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "host": {
        "id": "1"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.224.7:54066"
        },
        "syslog": {
            "priority": 86
        }
    },
    "message": "Blocked By Admin",
    "observer": {
        "hostname": "hostname",
        "product": "Deep Security Agent",
        "vendor": "Trend Micro",
        "version": "10.2.229"
    },
    "related": {
        "hosts": [
            "1"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "trendmicro.deep_security"
    ],
    "trendmicro": {
        "deep_security": {
            "device": {
                "custom_number1": {
                    "label": "Host ID"
                }
            },
            "event_category": "web-reputation-event",
            "signature_id": 5000000,
            "version": "0"
        }
    },
    "url": {
        "original": "example.com"
    }
}

Exported fields

Changelog