Trend Micro Apex One

Trend Micro Apex One is an anti-virus product that offers threat detection and response. You can send anti-virus logs to InsightIDR through syslog to receive alerts about events occurring in Trend Micro Apex One.

To set up Trend Micro Apex One you’ll need to:

  1. Configure Trend Micro Apex One to send data to your Collector.
  2. Set up the Trend Micro Apex One event source in InsightIDR.
  3. Verify the configuration works.

Configure Trend Micro Apex One to Send Data to Your Collector

To send Trend Micro Apex One logs to InsightIDR, you must configure syslog forwarding in Apex Central. Apex Central is the data management system and log forwarder for Trend Micro Apex One.

Use CEF Format

You must send Trend Micro Apex One logs to InsightIDR in CEF Format. For instructions on how to configure syslog forwarding in Apex Central, see their documentation: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Trend Micro Apex One in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Trend Micro Apex One event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches with the location of your event source logs.
  6. If you are sending additional events beyond alerts, select the unparsed logs checkbox.
  7. Select an attribution source.
  8. Configure your default domain and any Advanced Event Source Settings.
  9. Select Listen on Network Port as your Collection Method.
  10. Enter a Port number.
  11. Choose a Protocol.

You must select the same protocol in InsightIDR that you selected when configuring in Apex Central. If you selected SSL/TLS in Apex Central, select TCP, and choose to encrypt this event source in Step 11.

  1. If you chose TCP as your protocol, you can also select Encrypted to encrypt the event source and download the Rapid7 Certificate.
  2. Click the Save button.

Verify the Configuration

From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Trend Micro Apex One” if you did not name the event source. Trend Micro Apex One logs flow into these Log Sets:

  • Virus Infection Documents
  • Web Proxy Documents
  • Ingress Authentication Documents
  • Advanced Malware Documents

Sample input logs:

1
<133>Jul 30 2019 22:38:26 RAPID7.offices.local CEF:0|Trend Micro|Control Manager|7.0|AV:File cleaned|TROJ_FRS.VSNTGO19|3|deviceExternalId=551 rt=Jul 31 2019 02:36:35 GMT+00:00 cnt=1 dhost=RAPID7AOSDMWLKS act=File cleaned cn1Label=VLF_PatternNumber cn1=1526500 cn2Label=VLF_SecondAction cn2=1 cs1Label=VLF_FunctionCode cs1=Real-time Scan cs2Label=VLF_EngineVersion cs2=11.000.1006 cs3Label=CLF_ProductVersion cs3=12.1 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=VLF_FirstActionResult cs5=File cleaned cs6Label=VLF_SecondActionResult cs6=N/A cat=1703 dvchost=R7ASP54154 cn3Label=CLF_ServerityCode cn3=2 fname=adobe_flash_player_0494650184[1].exe filePath=C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Packages\\\\microsoft.microsoftedge\\\\AC\\\\#!001\\\\MicrosoftEdge\\\\Cache\\\\R7654354\\\\ dst=10.77.20.135 fileHash=C3B16395727C822960A73FF7B914FE3FB4FC3813 deviceFacility=OfficeScan
2
<133>Jul 31 2019 07:08:28 RAPID7.offices.local CEF:0|Trend Micro|Control Manager|7.0|WB:36|36|3|deviceExternalId=18089 rt=Jul 31 2019 10:56:55 GMT+00:00 app=5 cnt=1 dpt=80 act=2 src=10.81.20.53 cs1Label=SLF_PolicyName cs1=Internal User Policy deviceDirection=2 cat=36 dvchost=R7ASP54154 request=http://trakwp.com/scz?p\\=YTE1NjA5OTkyOTc672JAqCVcgVzwnWMw5ltc%2BmA14J1ApzolWN%2BIMzguB03GrTTivwWF9FMB4vW3kQL905hJtilNSPCRfVOD%2B5C2LHDA%2B2SPHnmnMSjovC4S0UWY6zgQYhEB%2B9JLvTcHZ3oeP%2BDggqUC76kh3oKzd0ZlxZqGcuqb5ijJNjl5CKNueKBekg2WXszhoeOYfi1Scb8FcIda94WCLrr...2BwwFw%2BBCop9%2FW%2B4ewvsFcPLOmMXtfrp6l1YPqD%2FuQ57pPsfKipQ89cVJ0u32sgLrlAofA%2BIg7w34cqBg%2Bg%2Bc0N8xl8A%2B9T%2BIozvcc4t6hdQYg3x8%2BoTu4kBexG9yNCZJYEFHcCJCkrX7SJ7WmqqjtpD%2F74C%2Bw1aECs4HwJ3VQ04H8dsQO4WaphdcJsy4IGDFol8Hz4EWpj8&t\\=1&dpv\\=98&ndom\\=5&st\\=&l\\=1 shost=TRASIMENE217 deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe cn3Label=Web_Reputation_Rating cn3=49 deviceFacility=OfficeScan cn2Label=SLF_SeverityLevel cn2=100
3
<133>Jul 31 2019 07:08:28 RAPID7.offices.local CEF:0|Trend Micro|Apex Central|2019|700211|Managed Product Logon/Logoff Events|3|deviceExternalId=11 shost=TREBIA218 deviceFacility=ScanMail for Microsoft Exchange cs1Label=Product_Version cs1=14 cn1Label=Command_Status cn1=110 msg=A user with the Administrator role(s) has logged on. Detail Information:UserName:TEST2013\\\\administrator,IP address:100.204.166.127,EventType:Log in/out,SourceType:SMEX UI. #015