Skip to content

Trend Micro AV

Trend Micro AV

About

Trend Micro Inc. is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United States, with regional headquarters and R&D centers in Asia, Europe, and North America.

Product Details

Vendor URL: Trend Micro

Product Type: AntiVirus

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Foward Events to an external Syslog or SIEM server|Deep Security

Log Guide: Trend Micro Events-Alerts v10.0

Parser Details

Log Format: Syslog/CEF

Expected Normalization Rate: 80-100%

Data Label: TRENDMICRO_AV

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field UDM Event Type
vendor metadata.vendor_name All
product metadata.product_name All
version metadata.product_version All
product_event metadata.product_event_type All
defined metadata.event_type All
src principal.hostname If Available
src principal.ip If Available
dst target.hostname If Available
dst target.ip If Available
dhost target.hostname If Available
dhost target.ip If Available
shost principal.hostname If Available
shost principal.ip If Available
suser principal.user.userid If Available
dst_user target.user.userid If Available
request target.url If Available
cs1 additional.fields If Available
cs2 additional.fields If Available
cs3 additional.fields If Available
cs4 additional.fields If Available
cs5 additional.fields If Available
cfp1 additional.fields If Available
cfp2 additional.fields If Available
cfp3 additional.fields If Available
flexString1 additional.fields If Available
flexString2 additional.fields If Available
tmt additional.fields If Available
fingerprint additional.fields If Available
tmti additional.fields If Available
msg metadata.description If Available
observer observer.hostname If Available
observer observer.ip If Available
Defined metadata.event_type If Available
Defined extensions.auth.type If Available
dst target.application If Available
dst_email1 target.email If Available
product_code security_result.rule_name If Available
Defined security_result.severity If Available

Product Event Types

Description metadata.event_type
Events Retrieved STATUS_UNCATEGORIZED
Computer Updated STATUS_UNCATEGORIZED
Alert Emails Sent STATUS_UNCATEGORIZED
Policy Sent STATUS_UNCATEGORIZED
Alert Started STATUS_UNCATEGORIZED
Offline STATUS_UNCATEGORIZED
User Session Validation Failed STATUS_UNCATEGORIZED
Back Online STATUS_UNCATEGORIZED
Alert Ended STATUS_UNCATEGORIZED

Log Sample

<134>Sep 27 10:38:51 observername CEF:0|Trend Micro|Deep Security Manager|20.0.198|710|Events Retrieved|3|src=10.10.10.30 suser=System target=targethost (computername) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0

Sample Parsing

metadata.event_timestamp = "2021-09-27T10:38:51Z"
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.vendor_name = "Trend Micro"
metadata.product_name = "Deep Security Manager"
metadata.product_event_type = "Events Retrieved"
metadata.description = "Description Omitted"
metadata.ingested_timestamp = "2021-09-27T14:52:30.796856Z"
additional.Tenant = "Primary"
principal.user.userid = "System"
principal.ip = "10.10.10.30"
principal.asset.ip = "10.10.10.30"
target.hostname = "targethost"
target.asset.hostname = "computername"
observer.hostname = "observername"
security_result.rule_name = "710"
security_result.severity = "LOW"

Parser Alerting

This product currently does not have any Parser-based Alerting