Trend Micro AV¶
About¶
Trend Micro Inc. is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United States, with regional headquarters and R&D centers in Asia, Europe, and North America.
Product Details¶
Vendor URL: Trend Micro
Product Type: AntiVirus
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Foward Events to an external Syslog or SIEM server|Deep Security
Log Guide: Trend Micro Events-Alerts v10.0
Parser Details¶
Log Format: Syslog/CEF
Expected Normalization Rate: 80-100%
Data Label: TRENDMICRO_AV
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field | UDM Event Type |
---|---|---|
vendor | metadata.vendor_name | All |
product | metadata.product_name | All |
version | metadata.product_version | All |
product_event | metadata.product_event_type | All |
defined | metadata.event_type | All |
src | principal.hostname | If Available |
src | principal.ip | If Available |
dst | target.hostname | If Available |
dst | target.ip | If Available |
dhost | target.hostname | If Available |
dhost | target.ip | If Available |
shost | principal.hostname | If Available |
shost | principal.ip | If Available |
suser | principal.user.userid | If Available |
dst_user | target.user.userid | If Available |
request | target.url | If Available |
cs1 | additional.fields | If Available |
cs2 | additional.fields | If Available |
cs3 | additional.fields | If Available |
cs4 | additional.fields | If Available |
cs5 | additional.fields | If Available |
cfp1 | additional.fields | If Available |
cfp2 | additional.fields | If Available |
cfp3 | additional.fields | If Available |
flexString1 | additional.fields | If Available |
flexString2 | additional.fields | If Available |
tmt | additional.fields | If Available |
fingerprint | additional.fields | If Available |
tmti | additional.fields | If Available |
msg | metadata.description | If Available |
observer | observer.hostname | If Available |
observer | observer.ip | If Available |
Defined | metadata.event_type | If Available |
Defined | extensions.auth.type | If Available |
dst | target.application | If Available |
dst_email1 | target.email | If Available |
product_code | security_result.rule_name | If Available |
Defined | security_result.severity | If Available |
Product Event Types¶
Description | metadata.event_type |
---|---|
Events Retrieved | STATUS_UNCATEGORIZED |
Computer Updated | STATUS_UNCATEGORIZED |
Alert Emails Sent | STATUS_UNCATEGORIZED |
Policy Sent | STATUS_UNCATEGORIZED |
Alert Started | STATUS_UNCATEGORIZED |
Offline | STATUS_UNCATEGORIZED |
User Session Validation Failed | STATUS_UNCATEGORIZED |
Back Online | STATUS_UNCATEGORIZED |
Alert Ended | STATUS_UNCATEGORIZED |
Log Sample¶
<134>Sep 27 10:38:51 observername CEF:0|Trend Micro|Deep Security Manager|20.0.198|710|Events Retrieved|3|src=10.10.10.30 suser=System target=targethost (computername) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Sample Parsing¶
metadata.event_timestamp = "2021-09-27T10:38:51Z"
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.vendor_name = "Trend Micro"
metadata.product_name = "Deep Security Manager"
metadata.product_event_type = "Events Retrieved"
metadata.description = "Description Omitted"
metadata.ingested_timestamp = "2021-09-27T14:52:30.796856Z"
additional.Tenant = "Primary"
principal.user.userid = "System"
principal.ip = "10.10.10.30"
principal.asset.ip = "10.10.10.30"
target.hostname = "targethost"
target.asset.hostname = "computername"
observer.hostname = "observername"
security_result.rule_name = "710"
security_result.severity = "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting