Trend Micro Deep Security

Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. If you’re a Deep Security customer, you can configure an integration with InsightIDR to forward Deep Security events to IDR through a syslog server connection. With the integration in place, Deep Security logs inform virus infection, firewall, IDS and asset authentication documents in IDR.

To set up your Trend Micro Deep Security integration:

  1. Configure the Trend Micro Deep Security Event Source in InsightIDR
  2. Configure Trend Micro Deep Security to send data to your Collector

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Trend Micro Deep Security in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Trend Micro Deep Security event source tile.
  4. Choose your Collector.
  5. Choose the Trend Micro Deep Security Event Source. You can also name your event source by entering a Display Name if you want.
  6. Choose the timezone that matches the location of your event source logs.
  7. You can choose to send unparsed logs to Log Search if you want.
  8. You can specify a default domain or add a new domain if needed.
  9. Select Listen on Network Port for your Collection Method.
  10. Enter a Port number.

Port Number and IP Address

Note the port number as well as the IP address associated with your IDR Collector. You will need both to configure Deep Security event forwarding later.

  1. Choose a Protocol.
  2. If you choose TCP as your Protocol, you can also select Encrypted to encrypt the event source and download the Rapid7 Certificate.

Rapid7 Certificate Import

To import the Rapid7 Certificate in your Deep Security Manager console, go to Administration > System Settings > Security and click the View Certificates List button. A modal appears that allows you to import the .pem file.

  1. Click the Save button.

Configure Trend Micro Deep Security to send data to your Collector

After setting up the Trend Micro Deep Security event source in InsightIDR, you can configure Deep Security to forward alerts to IDR.

There are 3 tasks in this configuration procedure:

  1. Allow event forwarding network traffic
  2. Define a Syslog configuration
  3. Forward security events

Task 1: Allow event forwarding network traffic

All routers, firewalls, and security groups must allow inbound traffic from Deep Security Manager to your InsightIDR Collector over the port you specified when you set up the Event Source in IDR. Your InsightIDR Collector must be accessible via the Internet and its domain name must be globally DNS-resolvable. This means you’ll need to create a Network Address Translation (NAT) between the internal IP address of your IDR Collector and a public IP address.

Task 2: Define a Syslog configuration

Syslog configurations define the destination and settings that can be used when forwarding events.

  1. In Trend Micro Deep Security, go to Policies > Common Objects > Other > Syslog Configurations.
  2. Click New > New Configuration.
  3. On the “General” tab, configure:
  • Name: Unique name that identifies the configuration.
  • Description: Optional description of the configuration.
  • Log Source Identifier: Optional identifier to use instead of Deep Security Manager's hostname. This setting does not apply to events sent directly by Deep Security Agent, which always uses its hostname as the log source ID. If the Deep Security Manager is multi-node, each server node has a different hostname. Log source IDs can therefore be different. If you need the IDs to be the same regardless of hostname (for example, for filtering purposes), you can configure their shared log source ID here.
  • Server Name: IP address of your IDR Collector
  • Server Port: Port number specified in the IDR Event Source
  • Transport: Indicate whether the transport protocol is secure (TLS) or not (UDP). TLS requires that you set “Agents should forward logs” to “Via the Deep Security Manager." Agents do not support forwarding with TLS. With UDP, Syslog messages are limited to 64 KB. If the message is longer, data may be truncated. With TLS, the manager and Syslog server must trust each others’ certificates. The connection from the manager to the Syslog server is encrypted with TLS 1.2, 1.1, or 1.0.
  • Event Format: Specify LEEF format. LEEF format requires that you set “Agents should forward logs” to “Via the Deep Security Manager.”
  • Include time zone in events: Select to add the full date (including year and time zone) to the event. Full dates require that you set “Agents should forward logs” to “Via the Deep Security Manager.”
    • Example (selected): 2018-09-14T01:02:17.123+04:00.
    • Example (deselected): Sep 14 01:02:17.
  • Facility: Type of process that events will be associated with
  • Agents should forward logs: Choose to send events “Via the Deep Security Manager” (indirectly).
  1. Click Apply.

If you selected the TLS transport mechanism, verify that both Deep Security Manager and the Syslog server can connect and trust each other's certificates.

  1. Click Test Connection. Deep Security Manager will try to resolve the hostname and connect. If that fails, an error message appears. If the Syslog or SIEM server certificate is not yet trusted by Deep Security Manager, the connection fails and an “Accept Server Certificate?” message should appear. The message shows the contents of the Syslog server's certificate.
  2. Verify that the Syslog server's certificate is correct, and click OK to accept it. The certificate is added to the manager's list of trusted certificates on Administration > System Settings > Security. Deep Security Manager can accept self-signed certificates.
  3. Click Test Connection again. Now the TLS connection should succeed.

Task 3: Forward security events

Now that you’ve established your Syslog connection, you can select the events you want to forward to InsightIDR.

  1. Go to Policies.
  2. Double-click the policy used by the computers.
  3. Select Settings and then the Event Forwarding tab.
  4. From Period between sending of events, select how often to forward events.
  5. From Anti-Malware Syslog Configuration and other protection modules' drop-down menus, either select which Syslog configuration to use, click Edit to change it, select None to disable it, or click New.
  6. Click Save.

Verify the Configuration

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Trend Micro Deep Security logs flow into these Log Sets:
    • Firewall Activity
    • IDS Alert
    • Ingress Authentication
    • Virus Alert
    • Asset Authentication
  2. Next, perform a Log Search to make sure Deep Security events are coming through.

Sample logs:

1
<134>2019-07-11T23:04:31-04:00 R7TEST99 LEEF:2.0|Trend Micro|Deep Security Agent|11.0.346|4000020|cat=Anti-Malware\tname=TM_MALWARE_BEHAVIOR\tdesc=TM_MALWARE_BEHAVIOR\tsev=6\tcn1=69979\tcn1Label=Host ID\tdvchost=r7-remote-user.com\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0\tfilePath=c:\\\\program files\\\\notepad++\\\\nppshell.dll\tact=Terminate\tmsg=Realtime\tTrendMicroDsMalwareTarget=C:\\\\WINDOWS\\\\system32\\\\regsvr32.exe\tTrendMicroDsMalwareTargetType=Process\tTrendMicroDsFileSHA1=AWSFHIOWUEHFOQIUERHOGUEHOR65465R16V5E1R6
2
3
<134>2019-07-11T23:04:31-04:00 R7TEST99 LEEF:2.0|Trend Micro|Deep Security Agent|11.0.346|4000020|cat=Anti-Malware\tname=TM_MALWARE_BEHAVIOR\tdesc=TM_MALWARE_BEHAVIOR\tsev=6\tcn1=69979\tcn1Label=Host ID\tdvc=r7-remote-user.com\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0\tfilePath=c:\\\\program files\\\\notepad++\\\\nppshell.dll\tact=Terminate\tmsg=Realtime\tTrendMicroDsMalwareTarget=C:\\\\WINDOWS\\\\system32\\\\regsvr32.exe\tTrendMicroDsMalwareTargetType=Process\tTrendMicroDsFileSHA1=AWSFHIOWUEHFOQIUERHOGUEHOR65465R16V5E1R6
4
5
<134>2019-07-11T23:04:31-04:00 R7TEST99 LEEF:2.0|Trend Micro|Deep Security Agent|11.0.346|4000020|cat=Anti-Malware\tname=TM_MALWARE_BEHAVIOR\tdesc=TM_MALWARE_BEHAVIOR\tsev=6\tcn1=69979\tcn1Label=Host ID\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0\tfilePath=c:\\\\program files\\\\notepad++\\\\nppshell.dll\tact=Terminate\tmsg=Realtime\tTrendMicroDsMalwareTarget=C:\\\\WINDOWS\\\\system32\\\\regsvr32.exe\tTrendMicroDsMalwareTargetType=Process\tTrendMicroDsFileSHA1=AWSFHIOWUEHFOQIUERHOGUEHOR65465R16V5E1R6
6
7
488 <134>Oct 11 02:54:47 10.11.12.13 LEEF:2.0|Trend Micro|Deep Security Agent|12.0.342|138|cat=Firewall\tname=Packet on Closed Connection\tdesc=Packet on Closed Connection\tsev=5\tcn1=144\tcn1Label=Host ID\tdvc=10.11.12.13\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0\tact=Deny\tdstMAC=AA:BB:CC:DD:EE:FF\tsrcMAC=AA:BB:CC:DD:EE:FF\tTrendMicroDsFrameType=IP\tsrc=10.11.12.13\tdst=10.11.12.13\tin=0\tcs3=DF 0\tcs3Label=Fragmentation Bits\tproto=TCP\tsrcPort=36626\tdstPort=80\tcs2=SYN\tcs2Label=TCP Flags\tcnt=5
8
9
655 <134>Oct 11 07:17:22 10.11.12.13 LEEF:2.0|Trend Micro|Deep Security Agent|12.0.342|501|cat=Intrusion Prevention\tname=Invalid Traversal\tdesc=Invalid Traversal\tsev=5\tcn1=140\tcn1Label=Host ID\tdvc=10.11.12.13\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0\tdstMAC=AA:BB:CC:DD:EE:FF\tsrcMAC=AA:BB:CC:DD:EE:FF\tTrendMicroDsFrameType=IP\tsrc=10.11.12.13\tdst=10.11.12.13\tin=101\tcs3=DF 0\tcs3Label=Fragmentation Bits\tproto=TCP\tsrcPort=58596\tdstPort=80\tcs2=ACK PSH\tcs2Label=TCP Flags\tcnt=1\tact=Reset\tcn2=-501\tcn2Label=DPI Reason\tcn3=10\tcn3Label=DPI Packet Position\tcs5=10\tcs5Label=DPI Stream Position \tcs1=\"uri-normalize\"\tcs1Label=DPI Note\tcs6=8\tcs6Label=DPI Flags
10
11
<134>2019-08-04T17:07:28-04:00 R7TEST99 LEEF:2.0|Trend Micro|Deep Security Manager|11.0.346|600|cat=System\tname=User Signed In\tdesc=User signed in from 10.11.12.13\tsev=3\tsrc=10.11.12.13\tusrName=System\ttarget=R7-FullAccess/r7employee@r7web.com\tmsg=User signed in from 10.11.12.13\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0
12
13
<134>2019-08-04T17:07:28-04:00 R7TEST99 LEEF:2.0|Trend Micro|Deep Security Manager|11.0.346|600|cat=System\tname=User Signed In\tdesc=User signed in from 10.11.12.13\tsev=3\tsrc=10.11.12.13\tusrName=System\ttarget=R7-FullAccess/r7employee@r7web.com\tmsg=User signed in from 10.11.12.13\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0
14
15
<134>2019-08-04T17:08:07-04:00 R7TEST99 LEEF:2.0|Trend Micro|Deep Security Manager|11.0.346|601|cat=System\tname=User Signed Out\tdesc=Description Omitted\tsev=3\tsrc=10.11.12.13\tusrName=System\ttarget=R7-FullAccess/r7employee@r7web.com\tmsg=Description Omitted\tTrendMicroDsTenant=Primary\tTrendMicroDsTenantId=0

Troubleshoot Common Issues

Here are some common issues you may have when setting up event forwarding from Trend Micro Deep Security and how to troubleshoot them.

"Failed to Send Syslog Message" alert

If there is a problem with your Syslog configuration, you might see this alert:

“Failed to Send Syslog Message The Deep Security Manager was unable to forward messages to a Syslog Server. Unable to forward messages to a Syslog Server.”

The alert also contains a link to the affected Syslog configuration. Click the link to open the configuration and then click Test Connection to get more diagnostic information. It will either indicate that the connection was successful or display an error message with more details about the cause.

Can't edit Syslog configurations

If you can see the Syslog configurations but can't edit them, the role associated with your account might not have the appropriate rights. An administrator who is able to configure roles can check your permissions by going to Administration > User Management. Then select your name and click Properties. On the “Other Rights” tab, the “Syslog Configurations” setting controls your ability to edit Syslog configurations.

Syslog not delivered due to an expired or changed server certificate

Valid certificates are required to connect securely via TLS. If the Syslog server's certificate has expired or changed, open the Syslog configuration and click Test Connection. You are prompted to accept the new certificate.