Trend Micro AV¶
About¶
Trend Micro Inc. is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United States, with regional headquarters and R&D centers in Asia, Europe, and North America.
Product Details¶
Vendor URL: Trend Micro
Product Type: AntiVirus
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Foward Events to an external Syslog or SIEM server|Deep Security
Log Guide: Trend Micro Events-Alerts v10.0
Parser Details¶
Log Format: Syslog/CEF
Expected Normalization Rate: 80-100%
Data Label: TRENDMICRO_AV
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| vendor | metadata.vendor_name | All |
| product | metadata.product_name | All |
| version | metadata.product_version | All |
| product_event | metadata.product_event_type | All |
| defined | metadata.event_type | All |
| src | principal.hostname | If Available |
| src | principal.ip | If Available |
| dst | target.hostname | If Available |
| dst | target.ip | If Available |
| dhost | target.hostname | If Available |
| dhost | target.ip | If Available |
| shost | principal.hostname | If Available |
| shost | principal.ip | If Available |
| suser | principal.user.userid | If Available |
| dst_user | target.user.userid | If Available |
| request | target.url | If Available |
| cs1 | additional.fields | If Available |
| cs2 | additional.fields | If Available |
| cs3 | additional.fields | If Available |
| cs4 | additional.fields | If Available |
| cs5 | additional.fields | If Available |
| cfp1 | additional.fields | If Available |
| cfp2 | additional.fields | If Available |
| cfp3 | additional.fields | If Available |
| flexString1 | additional.fields | If Available |
| flexString2 | additional.fields | If Available |
| tmt | additional.fields | If Available |
| fingerprint | additional.fields | If Available |
| tmti | additional.fields | If Available |
| msg | metadata.description | If Available |
| observer | observer.hostname | If Available |
| observer | observer.ip | If Available |
| Defined | metadata.event_type | If Available |
| Defined | extensions.auth.type | If Available |
| dst | target.application | If Available |
| dst_email1 | target.email | If Available |
| product_code | security_result.rule_name | If Available |
| Defined | security_result.severity | If Available |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| Events Retrieved | STATUS_UNCATEGORIZED |
| Computer Updated | STATUS_UNCATEGORIZED |
| Alert Emails Sent | STATUS_UNCATEGORIZED |
| Policy Sent | STATUS_UNCATEGORIZED |
| Alert Started | STATUS_UNCATEGORIZED |
| Offline | STATUS_UNCATEGORIZED |
| User Session Validation Failed | STATUS_UNCATEGORIZED |
| Back Online | STATUS_UNCATEGORIZED |
| Alert Ended | STATUS_UNCATEGORIZED |
Log Sample¶
<134>Sep 27 10:38:51 observername CEF:0|Trend Micro|Deep Security Manager|20.0.198|710|Events Retrieved|3|src=10.10.10.30 suser=System target=targethost (computername) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Sample Parsing¶
metadata.event_timestamp = "2021-09-27T10:38:51Z"
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.vendor_name = "Trend Micro"
metadata.product_name = "Deep Security Manager"
metadata.product_event_type = "Events Retrieved"
metadata.description = "Description Omitted"
metadata.ingested_timestamp = "2021-09-27T14:52:30.796856Z"
additional.Tenant = "Primary"
principal.user.userid = "System"
principal.ip = "10.10.10.30"
principal.asset.ip = "10.10.10.30"
target.hostname = "targethost"
target.asset.hostname = "computername"
observer.hostname = "observername"
security_result.rule_name = "710"
security_result.severity = "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting