Trend Micro Deep Security

Collect logs from Trend Micro Deep Security with Elastic Agent.

Version
2.3.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

Overview

Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from Deep Security via syslog server.

Data Streams

This integration supports deep_security data stream. See more details from Deep Security logging documentation here.

Requirements

Elastic Agent is required to ingest data from Deep Security. For more information, refer to the link here.

Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

The minimum kibana.version required is 8.11.0.

This integration has been tested against Deep Security 20. Please note if you have a Trend Micro Vision One XDR license, we recommend using the Vision One integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see here.

Setup

Follow the setup guide to forward deep security events to a syslog server.

Enabling the integration in Elastic:

  1. In Kibana go to Management > Integrations
  2. In "Search for integrations" search bar, type Trend Micro.
  3. Click on the "Trend Micro" integration from the search results.
  4. Click on the "Add Trend Micro" button to add the integration.
  5. Add all the required integration configuration parameters according to the enabled input type.
  6. Click on "Save and Continue" to save the integration.

Logs

Deep Security Logs

Deep Security logs collect the trendmicro deep security logs.

An example event for deep_security looks as following:

{
    "@timestamp": "2020-09-21T07:21:11.000Z",
    "agent": {
        "ephemeral_id": "2ea89e49-a391-4415-a8c4-c0ad743e691b",
        "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.11.0"
    },
    "data_stream": {
        "dataset": "trendmicro.deep_security",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc",
        "snapshot": false,
        "version": "8.11.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "code": "5000000",
        "dataset": "trendmicro.deep_security",
        "ingested": "2024-03-20T09:48:02Z",
        "kind": "event",
        "original": "194 <86>2020-09-21T13:51:11+06:30 DeepSec Logs CEF:0|Trend Micro|Deep Security Agent|10.2.229|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin",
        "severity": 5,
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "host": {
        "id": "1"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.224.7:54066"
        },
        "syslog": {
            "priority": 86
        }
    },
    "message": "Blocked By Admin",
    "observer": {
        "hostname": "hostname",
        "product": "Deep Security Agent",
        "vendor": "Trend Micro",
        "version": "10.2.229"
    },
    "related": {
        "hosts": [
            "1"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "trendmicro.deep_security"
    ],
    "trendmicro": {
        "deep_security": {
            "device": {
                "custom_number1": {
                    "label": "Host ID"
                }
            },
            "event_category": "web-reputation-event",
            "signature_id": 5000000,
            "version": "0"
        }
    },
    "url": {
        "original": "example.com"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset.
constant_keyword
event.module
Event module.
constant_keyword
input.type
Type of filebeat input.
keyword
log.file.device_id
ID of the device containing the filesystem where the file resides.
keyword
log.file.fingerprint
The sha256 fingerprint identity of the file when fingerprinting is enabled.
keyword
log.file.idxhi
The high-order part of a unique identifier that is associated with a file. (Windows-only)
keyword
log.file.idxlo
The low-order part of a unique identifier that is associated with a file. (Windows-only)
keyword
log.file.inode
Inode number of the log file.
keyword
log.file.vol
The serial number of the volume that contains a file. (Windows-only)
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
source.process.name
Source process name.
keyword
trendmicro.deep_security.action
The action detected by the integrity rule.
keyword
trendmicro.deep_security.aggregation_type
An integer that indicates how the event is aggregated:.
keyword
trendmicro.deep_security.base_event_count
Base event count.
long
trendmicro.deep_security.bytes_in
Number of inbound bytes read.
long
trendmicro.deep_security.computer_name
The computer name.
keyword
trendmicro.deep_security.destination.address
IP address of the destination computer.
ip
trendmicro.deep_security.destination.mac_address
Destination MAC Address.
keyword
trendmicro.deep_security.destination.port
Port number of the destination computer's connection or session.
long
trendmicro.deep_security.destination.user_name
Destination user name.
keyword
trendmicro.deep_security.device.custom_number1.label
The name label for the field cn1.
keyword
trendmicro.deep_security.device.custom_number1.value
The value for the field cn1.
keyword
trendmicro.deep_security.device.custom_number2.label
The name label for the field cn2.
keyword
trendmicro.deep_security.device.custom_number2.value
The value for the field cn2.
long
trendmicro.deep_security.device.custom_number3.label
The name label for the field cn3.
keyword
trendmicro.deep_security.device.custom_number3.value
The value for the field cn3.
long
trendmicro.deep_security.device.custom_string1.label
The name label for the field cs1.
keyword
trendmicro.deep_security.device.custom_string1.value
The value for the field cs1.
keyword
trendmicro.deep_security.device.custom_string2.label
The name label for the field cs2.
keyword
trendmicro.deep_security.device.custom_string2.value
The value for the field cs2.
keyword
trendmicro.deep_security.device.custom_string3.label
The name label for the field cs3.
keyword
trendmicro.deep_security.device.custom_string3.value
The value for the field cs3.
keyword
trendmicro.deep_security.device.custom_string4.label
The name label for the field cs4.
keyword
trendmicro.deep_security.device.custom_string4.value
The value for the field cs4.
keyword
trendmicro.deep_security.device.custom_string5.label
The name label for the field cs5.
keyword
trendmicro.deep_security.device.custom_string5.value
The value for the field cs5.
keyword
trendmicro.deep_security.device.custom_string6.label
The name label for the field cs6.
keyword
trendmicro.deep_security.device.custom_string6.value
The value for the field cs6.
keyword
trendmicro.deep_security.device.custom_string7.label
The name label for the field cs7.
keyword
trendmicro.deep_security.device.custom_string7.value
The value for the field cs7.
keyword
trendmicro.deep_security.device.product
Product name.
keyword
trendmicro.deep_security.device.vendor
Vendor name.
keyword
trendmicro.deep_security.device.version
Product version.
keyword
trendmicro.deep_security.deviceHostName
The hostname for cn1.
keyword
trendmicro.deep_security.domain_name
The domain name.
keyword
trendmicro.deep_security.event_category
Event category of deep security event.
keyword
trendmicro.deep_security.event_class_id
Event Class ID.
keyword
trendmicro.deep_security.file.hash
The SHA 256 hash that identifies the software file.
keyword
trendmicro.deep_security.file.size
The file size in bytes.
long
trendmicro.deep_security.file_path
The location of the malware file.
keyword
trendmicro.deep_security.filename
The file name that was accessed.
keyword
trendmicro.deep_security.message
A list of changed attribute names.
keyword
trendmicro.deep_security.model
The product name of the device.
keyword
trendmicro.deep_security.name
CEF event containing message.
keyword
trendmicro.deep_security.permission
The block reason of the access.
keyword
trendmicro.deep_security.process.name
The process name.
keyword
trendmicro.deep_security.repeat_count
The number of occurrences of the event.
keyword
trendmicro.deep_security.request_url
The URL of the request.
keyword
trendmicro.deep_security.result
The result of the failed Anti-Malware action.
keyword
trendmicro.deep_security.serial
The serial number of the device.
keyword
trendmicro.deep_security.severity
Severity of the Event.
long
trendmicro.deep_security.signature_id
Signature ID of event.
long
trendmicro.deep_security.source.address
Source computer IP address.
ip
trendmicro.deep_security.source.host_name
Source computer hostname.
keyword
trendmicro.deep_security.source.mac_address
MAC address of the source computer's network interface.
keyword
trendmicro.deep_security.source.port
Port number of the source computer's connection or session.
long
trendmicro.deep_security.source.process_name
The name of the event's source process.
keyword
trendmicro.deep_security.source.user_id
Source user ID.
keyword
trendmicro.deep_security.source.user_name
Account of the user who changed the file being monitored.
keyword
trendmicro.deep_security.target.id
The identifier added in the manager.
keyword
trendmicro.deep_security.target.value
The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer.
keyword
trendmicro.deep_security.transport_protocol
Name of the transport protocol used.
keyword
trendmicro.deep_security.trendmicro.ds_behavior.rule_id
The behavior monitoring rule ID for internal malware case tracking.
keyword
trendmicro.deep_security.trendmicro.ds_behavior.type
The type of behavior monitoring event detected.
keyword
trendmicro.deep_security.trendmicro.ds_command_line
The commands that the subject process executes.
keyword
trendmicro.deep_security.trendmicro.ds_cve
The CVE information, if the process behavior is identified in one of Common Vulnerabilities and Exposures.
keyword
trendmicro.deep_security.trendmicro.ds_detection_confidence
Indicates how closely the file matched the malware model.
long
trendmicro.deep_security.trendmicro.ds_file.md5
The MD5 hash of the file.
keyword
trendmicro.deep_security.trendmicro.ds_file.sha1
The SHA1 hash of the file.
keyword
trendmicro.deep_security.trendmicro.ds_file.sha256
The SHA256 hash of the file.
keyword
trendmicro.deep_security.trendmicro.ds_frame_type
Connection ethernet frame type.
keyword
trendmicro.deep_security.trendmicro.ds_malware_target.count
The number of target files.
long
trendmicro.deep_security.trendmicro.ds_malware_target.type
The type of system resource that this malware was trying to affect.
keyword
trendmicro.deep_security.trendmicro.ds_malware_target.value
The file, process, or registry key (if any) that the malware was trying to affect.
keyword
trendmicro.deep_security.trendmicro.ds_mitre
The MITRE information, if the process behavior is identified in one of MITRE attack scenarios.
keyword
trendmicro.deep_security.trendmicro.ds_packet_data
The packet data, represented in Base64.
keyword
trendmicro.deep_security.trendmicro.ds_process
Name of ds process.
keyword
trendmicro.deep_security.trendmicro.ds_relevant_detection_names
Probable Threat Type.
keyword
trendmicro.deep_security.trendmicro.ds_tenant
Deep Security tenant.
keyword
trendmicro.deep_security.trendmicro.ds_tenant_id
Deep Security tenant ID.
keyword
trendmicro.deep_security.type
The device type of the device.
keyword
trendmicro.deep_security.version
Deep Security version.
keyword
trendmicro.deep_security.xff
The IP address of the last hub in the X-Forwarded-For header.
ip

Changelog

VersionDetailsKibana version(s)

2.3.0

Enhancement View pull request
Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.2.0

Enhancement View pull request
Add ECS categorizations for anti-malware events.

8.11.0 or higher

2.1.0

Enhancement View pull request
Use CEF name as event.action if no action is specified.

8.11.0 or higher

2.0.0

Enhancement View pull request
Breaking changes for improved ECS mappings, new dashboards and compatibility with Deep Security v20.

Enhancement View pull request
Update the minimum kibana version to 8.11.0.

8.11.0 or higher

1.8.4

Enhancement View pull request
Changed owners

8.6.0 or higher

1.8.3

Bug fix View pull request
Update ECS categorization field mappings.

8.6.0 or higher

1.8.2

Bug fix View pull request
Fix exclude_files pattern.

8.6.0 or higher

1.8.1

Bug fix View pull request
Handle length prefix in octet counted TCP messages.

8.6.0 or higher

1.8.0

Enhancement View pull request
Add support for TLS.

8.6.0 or higher

1.7.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.6.0 or higher

1.6.0

Enhancement View pull request
Adapt fields for changes in file system info

8.6.0 or higher

1.5.0

Enhancement View pull request
Set 'community' owner type.

8.6.0 or higher

1.4.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.6.0 or higher

1.3.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

8.6.0 or higher

1.2.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.6.0 or higher

1.1.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.6.0 or higher

1.0.0

Enhancement View pull request
Release Trend Micro Deep Security as GA.

8.6.0 or higher

0.5.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

0.4.0

Enhancement View pull request
Update package to ECS 8.8.0.

0.3.0

Enhancement View pull request
Update package-spec version to 2.7.0.

0.2.0

Enhancement View pull request
Update package to ECS 8.7.0.

0.1.0

Enhancement View pull request
Initial draft of the package

On this page