› ›

Trendmicro Integration

Version	2.6.0 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

Overview

edit

Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from Deep Security via syslog server.

Data Streams

edit

This integration supports deep_security data stream. See more details from Deep Security logging documentation here.

Requirements

edit

Elastic Agent is required to ingest data from Deep Security. For more information, refer to the link here.

Installing and managing an Elastic Agent:

edit

You have a few options for installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):

edit

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):

edit

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:

edit

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

The minimum kibana.version required is 8.11.0.

This integration has been tested against Deep Security 20. Please note if you have a Trend Micro Vision One XDR license, we recommend using the Vision One integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see here.

Setup

edit

Follow the setup guide to forward deep security events to a syslog server.

Enabling the integration in Elastic:

edit

In Kibana go to Management > Integrations
In "Search for integrations" search bar, type Trend Micro.
Click on the "Trend Micro" integration from the search results.
Click on the "Add Trend Micro" button to add the integration.
Add all the required integration configuration parameters according to the enabled input type.
Click on "Save and Continue" to save the integration.

Logs

edit

Deep Security Logs

edit

Deep Security logs collect the trendmicro deep security logs.

Example

An example event for deep_security looks as following:

{
    "@timestamp": "2020-09-21T07:21:11.000Z",
    "agent": {
        "ephemeral_id": "2ea89e49-a391-4415-a8c4-c0ad743e691b",
        "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.11.0"
    },
    "data_stream": {
        "dataset": "trendmicro.deep_security",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc",
        "snapshot": false,
        "version": "8.11.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "code": "5000000",
        "dataset": "trendmicro.deep_security",
        "ingested": "2024-03-20T09:48:02Z",
        "kind": "event",
        "original": "194 <86>2020-09-21T13:51:11+06:30 DeepSec Logs CEF:0|Trend Micro|Deep Security Agent|10.2.229|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin",
        "severity": 5,
        "timezone": "UTC",
        "type": [
            "info"
        ]
    },
    "host": {
        "id": "1"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.224.7:54066"
        },
        "syslog": {
            "priority": 86
        }
    },
    "message": "Blocked By Admin",
    "observer": {
        "hostname": "hostname",
        "product": "Deep Security Agent",
        "vendor": "Trend Micro",
        "version": "10.2.229"
    },
    "related": {
        "hosts": [
            "1"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "trendmicro.deep_security"
    ],
    "trendmicro": {
        "deep_security": {
            "device": {
                "custom_number1": {
                    "label": "Host ID"
                }
            },
            "event_category": "web-reputation-event",
            "signature_id": 5000000,
            "version": "0"
        }
    },
    "url": {
        "original": "example.com"
    }
}

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset.	constant_keyword
event.module	Event module.	constant_keyword
input.type	Type of filebeat input.	keyword
log.file.device_id	ID of the device containing the filesystem where the file resides.	keyword
log.file.fingerprint	The sha256 fingerprint identity of the file when fingerprinting is enabled.	keyword
log.file.idxhi	The high-order part of a unique identifier that is associated with a file. (Windows-only)	keyword
log.file.idxlo	The low-order part of a unique identifier that is associated with a file. (Windows-only)	keyword
log.file.inode	Inode number of the log file.	keyword
log.file.vol	The serial number of the volume that contains a file. (Windows-only)	keyword
log.offset	Log offset.	long
log.source.address	Source address from which the log event was read / sent from.	keyword
source.process.name	Source process name.	keyword
trendmicro.deep_security.action	The action detected by the integrity rule.	keyword
trendmicro.deep_security.aggregation_type	An integer that indicates how the event is aggregated:.	keyword
trendmicro.deep_security.base_event_count	Base event count.	long
trendmicro.deep_security.bytes_in	Number of inbound bytes read.	long
trendmicro.deep_security.computer_name	The computer name.	keyword
trendmicro.deep_security.destination.address	IP address of the destination computer.	ip
trendmicro.deep_security.destination.mac_address	Destination MAC Address.	keyword
trendmicro.deep_security.destination.port	Port number of the destination computer’s connection or session.	long
trendmicro.deep_security.destination.user_name	Destination user name.	keyword
trendmicro.deep_security.device.custom_number1.label	The name label for the field cn1.	keyword
trendmicro.deep_security.device.custom_number1.value	The value for the field cn1.	keyword
trendmicro.deep_security.device.custom_number2.label	The name label for the field cn2.	keyword
trendmicro.deep_security.device.custom_number2.value	The value for the field cn2.	long
trendmicro.deep_security.device.custom_number3.label	The name label for the field cn3.	keyword
trendmicro.deep_security.device.custom_number3.value	The value for the field cn3.	long
trendmicro.deep_security.device.custom_string1.label	The name label for the field cs1.	keyword
trendmicro.deep_security.device.custom_string1.value	The value for the field cs1.	keyword
trendmicro.deep_security.device.custom_string2.label	The name label for the field cs2.	keyword
trendmicro.deep_security.device.custom_string2.value	The value for the field cs2.	keyword
trendmicro.deep_security.device.custom_string3.label	The name label for the field cs3.	keyword
trendmicro.deep_security.device.custom_string3.value	The value for the field cs3.	keyword
trendmicro.deep_security.device.custom_string4.label	The name label for the field cs4.	keyword
trendmicro.deep_security.device.custom_string4.value	The value for the field cs4.	keyword
trendmicro.deep_security.device.custom_string5.label	The name label for the field cs5.	keyword
trendmicro.deep_security.device.custom_string5.value	The value for the field cs5.	keyword
trendmicro.deep_security.device.custom_string6.label	The name label for the field cs6.	keyword
trendmicro.deep_security.device.custom_string6.value	The value for the field cs6.	keyword
trendmicro.deep_security.device.custom_string7.label	The name label for the field cs7.	keyword
trendmicro.deep_security.device.custom_string7.value	The value for the field cs7.	keyword
trendmicro.deep_security.device.product	Product name.	keyword
trendmicro.deep_security.device.vendor	Vendor name.	keyword
trendmicro.deep_security.device.version	Product version.	keyword
trendmicro.deep_security.deviceHostName	The hostname for cn1.	keyword
trendmicro.deep_security.domain_name	The domain name.	keyword
trendmicro.deep_security.event_category	Event category of deep security event.	keyword
trendmicro.deep_security.event_class_id	Event Class ID.	keyword
trendmicro.deep_security.file.hash	The SHA 256 hash that identifies the software file.	keyword
trendmicro.deep_security.file.size	The file size in bytes.	long
trendmicro.deep_security.file_path	The location of the malware file.	keyword
trendmicro.deep_security.filename	The file name that was accessed.	keyword
trendmicro.deep_security.message	A list of changed attribute names.	keyword
trendmicro.deep_security.model	The product name of the device.	keyword
trendmicro.deep_security.name	CEF event containing message.	keyword
trendmicro.deep_security.permission	The block reason of the access.	keyword
trendmicro.deep_security.process.name	The process name.	keyword
trendmicro.deep_security.repeat_count	The number of occurrences of the event.	keyword
trendmicro.deep_security.request_url	The URL of the request.	keyword
trendmicro.deep_security.result	The result of the failed Anti-Malware action.	keyword
trendmicro.deep_security.serial	The serial number of the device.	keyword
trendmicro.deep_security.severity	Severity of the Event.	long
trendmicro.deep_security.signature_id	Signature ID of event.	long
trendmicro.deep_security.source.address	Source computer IP address.	ip
trendmicro.deep_security.source.host_name	Source computer hostname.	keyword
trendmicro.deep_security.source.mac_address	MAC address of the source computer’s network interface.	keyword
trendmicro.deep_security.source.port	Port number of the source computer’s connection or session.	long
trendmicro.deep_security.source.process_name	The name of the event’s source process.	keyword
trendmicro.deep_security.source.user_id	Source user ID.	keyword
trendmicro.deep_security.source.user_name	Account of the user who changed the file being monitored.	keyword
trendmicro.deep_security.target.id	The identifier added in the manager.	keyword
trendmicro.deep_security.target.value	The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer.	keyword
trendmicro.deep_security.transport_protocol	Name of the transport protocol used.	keyword
trendmicro.deep_security.trendmicro.ds_behavior.rule_id	The behavior monitoring rule ID for internal malware case tracking.	keyword
trendmicro.deep_security.trendmicro.ds_behavior.type	The type of behavior monitoring event detected.	keyword
trendmicro.deep_security.trendmicro.ds_command_line	The commands that the subject process executes.	keyword
trendmicro.deep_security.trendmicro.ds_cve	The CVE information, if the process behavior is identified in one of Common Vulnerabilities and Exposures.	keyword
trendmicro.deep_security.trendmicro.ds_detection_confidence	Indicates how closely the file matched the malware model.	long
trendmicro.deep_security.trendmicro.ds_file.md5	The MD5 hash of the file.	keyword
trendmicro.deep_security.trendmicro.ds_file.sha1	The SHA1 hash of the file.	keyword
trendmicro.deep_security.trendmicro.ds_file.sha256	The SHA256 hash of the file.	keyword
trendmicro.deep_security.trendmicro.ds_frame_type	Connection ethernet frame type.	keyword
trendmicro.deep_security.trendmicro.ds_malware_target.count	The number of target files.	long
trendmicro.deep_security.trendmicro.ds_malware_target.type	The type of system resource that this malware was trying to affect.	keyword
trendmicro.deep_security.trendmicro.ds_malware_target.value	The file, process, or registry key (if any) that the malware was trying to affect.	keyword
trendmicro.deep_security.trendmicro.ds_mitre	The MITRE information, if the process behavior is identified in one of MITRE attack scenarios.	keyword
trendmicro.deep_security.trendmicro.ds_packet_data	The packet data, represented in Base64.	keyword
trendmicro.deep_security.trendmicro.ds_process	Name of ds process.	keyword
trendmicro.deep_security.trendmicro.ds_relevant_detection_names	Probable Threat Type.	keyword
trendmicro.deep_security.trendmicro.ds_tenant	Deep Security tenant.	keyword
trendmicro.deep_security.trendmicro.ds_tenant_id	Deep Security tenant ID.	keyword
trendmicro.deep_security.type	The device type of the device.	keyword
trendmicro.deep_security.version	Deep Security version.	keyword
trendmicro.deep_security.xff	The IP address of the last hub in the X-Forwarded-For header.	ip

Changelog

edit

Changelog

Version	Details	Kibana version(s)
2.6.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error".	8.13.0 or higher
2.5.0	Enhancement (View pull request) Do not remove `event.original` in main ingest pipeline.	8.13.0 or higher
2.4.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	8.13.0 or higher
2.3.0	Enhancement (View pull request) Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
2.2.0	Enhancement (View pull request) Add ECS categorizations for anti-malware events.	8.11.0 or higher
2.1.0	Enhancement (View pull request) Use CEF name as `event.action` if no action is specified.	8.11.0 or higher
2.0.0	Enhancement (View pull request) Breaking changes for improved ECS mappings, new dashboards and compatibility with Deep Security v20. Enhancement (View pull request) Update the minimum kibana version to 8.11.0.	8.11.0 or higher
1.8.4	Enhancement (View pull request) Changed owners	8.6.0 or higher
1.8.3	Bug fix (View pull request) Update ECS categorization field mappings.	8.6.0 or higher
1.8.2	Bug fix (View pull request) Fix exclude_files pattern.	8.6.0 or higher
1.8.1	Bug fix (View pull request) Handle length prefix in octet counted TCP messages.	8.6.0 or higher
1.8.0	Enhancement (View pull request) Add support for TLS.	8.6.0 or higher
1.7.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.6.0 or higher
1.6.0	Enhancement (View pull request) Adapt fields for changes in file system info	8.6.0 or higher
1.5.0	Enhancement (View pull request) Set community owner type.	8.6.0 or higher
1.4.0	Enhancement (View pull request) ECS version updated to 8.10.0.	8.6.0 or higher
1.3.0	Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.	8.6.0 or higher
1.2.0	Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.6.0 or higher
1.1.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.6.0 or higher
1.0.0	Enhancement (View pull request) Release Trend Micro Deep Security as GA.	8.6.0 or higher
0.5.0	Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors.	—
0.4.0	Enhancement (View pull request) Update package to ECS 8.8.0.	—
0.3.0	Enhancement (View pull request) Update package-spec version to 2.7.0.	—
0.2.0	Enhancement (View pull request) Update package to ECS 8.7.0.	—
0.1.0	Enhancement (View pull request) Initial draft of the package	—

« Trend Micro Trend Micro Vision One »