Trend Micro OfficeScan

Overview

TrendMicro Office scan is a security and virus scanning product that can further contextualize data about your users.

Before You Begin

TrendMicro OfficeScan cannot forward logs natively. However, you can forward them into InsightOps from a log aggregator, SIEM, or log forwarder such as nxlog.

The free tool nxlog can read the OfficeScan log on the TrendMicro server and forward the antivirus events to InsightOps. You can read additional information about nxlog here.

Configure nxlog to forward the logs in standard syslog format, which you can read about on the nxlog page.

Once configured, the newly forwarded logs may resemble the log below:

text
1
2015-04-06 15:32:12 PVBTMAV.mycompany.com WARNING 500 NT AUTHORITY\SYSTEM Virus/Malware: Eicar_test_1 Computer: IT68 Domain: tor\Platte_city\ File: C:\Users\jsmith\Desktop\New Text Document.txt Date/Time: 4/6/2015 15:31:35 Result: Virus successfully detected, cannot perform the Clean action (Quarantine)

How to Configure This Event Source in InsightOps

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Virus Scan icon from the Security Data section
  4. Select your collector, and from the list of options, choose TrendMicro OfficeScan
  5. Optionally choose to send unfiltered logs
  6. Choose a timezone, or optionally choose a US timezone
  7. Configure any advanced event source settings.
  8. Select Listen for Syslog, and enter the port. Choose TCP as your protocol, and then check the box titles "Encrypted" to send Secure Syslog.
  9. Select the button "Download Certificate" which will download Rapid7's certificate. This file is called Rapid7CA.pem and will allow InsightOps and TrendMicro to "trust" each other during log forwarding.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.