Collect Trend Micro Deep Security logs

Supported in:

This document describes how you can collect the Trend Micro Deep Security logs using Google Security Operations. This parser the logs, which can be in either LEEF+CEF or CEF format, into a unified data model (UDM). It extracts fields from the log messages using grok patterns and key-value pairs, then maps them to corresponding UDM fields, handling various data cleaning and normalization tasks along the way.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to TrendMicro Deep Security console.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where BindPlane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

Windows Installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux Installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional Installation Resources

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        udplog:
            # Replace the below port <54525> and IP <0.0.0.0> with your specific values
            listen_address: "0.0.0.0:54525" 
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the creds location below according the placement of the credentials file you downloaded
            creds: '{ json file for creds }'
            # Replace <customer_id> below with your actual ID that you copied
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # You can apply ingestion labels below as preferred
            ingestion_labels:
            log_type: SYSLOG
            namespace: trendmicro_deep_security
            raw_log_field: body
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - udplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart BindPlane Agent to apply the changes

  • In Linux, to restart the BindPlane Agent, run the following command:

    sudo systemctl restart bindplane-agent
    
  • In Windows, to restart the BindPlane Agent, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure Syslog in TrendMicro Deep Security

  1. Sign in to TrenMicro Deep Security console.
  2. Go to Policies > Common Objects > Other > Syslog Configurations.
  3. Click New > New Configuration.
  4. Provide the following details for the configuration:
    • Name: unique name that identifies the configuration (for example, Google SecOps Bindplane)
    • Optional: Description: add a description.
    • Log Source Identifier: specify an identifier to use instead of Deep Security Manager's hostname, if desired.
    • Server Name: enter the hostname or IP address of the Syslog server (Bindplane).
    • Server Port: specify the listening port number on the server (Bindplane).
    • Transport: select UDP as the transport protocol.
    • Event Format: select LEEF or CEF (LEEF format requires that you set Agents should forward logs to Via the Deep Security Manager).
    • Optional: Include time zone in events: whether to add the full date (including year and time zone) to the event.
    • Optional: Agents should forward logs: select Via the Deep Security Manager if logs are formatted with LEEF.
  5. Click Apply to finalize the settings.

Configure Security Events forwarding

  1. Go to Policies and select the policy applied to the computers you want to configure.
  2. Click Details.
  3. In the Policy editor window, click Settings > Event Forwarding.
  4. From the Period between sending of events section, set the period value to a time period between 10 and 60 seconds.
    • The default value is 60 seconds, and the recommended value is 10 seconds.
  5. For each of these protection modules:
    • Anti-Malware Syslog Configuration
    • Web reputation Syslog Configuration
    • Firewall
    • Intrusion prevention Syslog Configuration
    • Log inspection and Integrity monitoring Syslog Configuration
  6. Select the syslog configuration to use from the context menu:
    • Syslog Configuration Name: Select the appropriate configuration.
  7. Click Save to apply the settings.

Configure System Events forwarding

  1. Go to Administration > System Settings > Event Forwarding.
  2. From Forward System Events to a remote computer (via Syslog) using configuration, select the existing configuration created earlier.
  3. Click Save.

UDM Mapping Table

Log field UDM mapping Logic
act read_only_udm.security_result.action_details
aggregationType read_only_udm.additional.fields.value.string_value Converted to string.
cat read_only_udm.security_result.category_details
cef_host read_only_udm.target.hostname
read_only_udm.target.asset.hostname
Used as hostname if dvchost is empty.
cn1 read_only_udm.target.asset_id Prefixed with "Host Id:".
cs1 read_only_udm.security_result.detection_fields.value
cs1Label read_only_udm.security_result.detection_fields.key
cs2 read_only_udm.target.file.sha1
read_only_udm.security_result.detection_fields.value
Converted to lowercase and mapped to sha1 if cs2Label is "sha1", otherwise mapped to detection_fields.
cs2Label read_only_udm.security_result.detection_fields.key
cs3 read_only_udm.target.file.md5
read_only_udm.security_result.detection_fields.value
Converted to lowercase and mapped to md5 if cs3Label is "md5", otherwise mapped to detection_fields.
cs3Label read_only_udm.security_result.detection_fields.key
cs5 read_only_udm.security_result.detection_fields.value
cs5Label read_only_udm.security_result.detection_fields.key
cs6 read_only_udm.security_result.detection_fields.value
cs6Label read_only_udm.security_result.detection_fields.key
cs7 read_only_udm.security_result.detection_fields.value
cs7Label read_only_udm.security_result.detection_fields.key
cnt read_only_udm.additional.fields.value.string_value Converted to string.
desc read_only_udm.metadata.description
dst read_only_udm.target.ip
read_only_udm.target.asset.ip
dstMAC read_only_udm.target.mac Converted to lowercase.
dstPort read_only_udm.target.port Converted to integer.
duser read_only_udm.target.user.user_display_name
dvc read_only_udm.about.ip
dvchost read_only_udm.target.hostname
read_only_udm.target.asset.hostname
event_id read_only_udm.metadata.product_event_type Used as product_event_type if event_name is not empty, otherwise used alone.
event_name read_only_udm.metadata.product_event_type Prefixed with "[event_id] - " and used as product_event_type.
fileHash read_only_udm.target.file.sha256 Converted to lowercase.
filePath read_only_udm.target.file.full_path "ProgramFiles\(x86\)" replaced with "Program Files (x86)".
fsize read_only_udm.target.file.size Converted to unsigned integer.
hostname read_only_udm.target.hostname
read_only_udm.target.asset.hostname
Used as hostname if target is empty.
in read_only_udm.network.received_bytes Converted to unsigned integer.
msg read_only_udm.security_result.description
name read_only_udm.security_result.summary
organization read_only_udm.target.administrative_domain
read_only_udm.metadata.vendor_name
proto read_only_udm.network.ip_protocol Replaced with "ICMP" if it's "ICMPv6".
product_version read_only_udm.metadata.product_version
result read_only_udm.security_result.summary
sev read_only_udm.security_result.severity
read_only_udm.security_result.severity_details
Mapped to severity based on its value, also mapped to severity_details.
shost read_only_udm.principal.hostname
read_only_udm.principal.asset.hostname
src read_only_udm.principal.ip
read_only_udm.principal.asset.ip
srcMAC read_only_udm.principal.mac Converted to lowercase.
srcPort read_only_udm.principal.port Converted to integer.
suid read_only_udm.principal.user.userid
suser read_only_udm.principal.user.user_display_name
target read_only_udm.target.hostname
read_only_udm.target.asset.hostname
timestamp read_only_udm.metadata.event_timestamp.seconds
read_only_udm.metadata.event_timestamp.nanos
Parsed to timestamp.
TrendMicroDsBehaviorType read_only_udm.security_result.detection_fields.value
TrendMicroDsFileSHA1 read_only_udm.target.file.sha1 Converted to lowercase.
TrendMicroDsFrameType read_only_udm.security_result.detection_fields.value
TrendMicroDsMalwareTarget read_only_udm.security_result.detection_fields.value
TrendMicroDsMalwareTargetCount read_only_udm.security_result.detection_fields.value
TrendMicroDsMalwareTargetType read_only_udm.security_result.detection_fields.value
TrendMicroDsProcess read_only_udm.security_result.detection_fields.value "ProgramFiles\(x86\)" replaced with "Program Files (x86)".
TrendMicroDsTenant read_only_udm.security_result.detection_fields.value
TrendMicroDsTenantId read_only_udm.security_result.detection_fields.value
usrName read_only_udm.principal.user.userid
read_only_udm.metadata.event_type Set to "NETWORK_HTTP" if both source and destination are present, otherwise set to "GENERIC_EVENT".
read_only_udm.metadata.log_type Set to "TRENDMICRO_DEEP_SECURITY".

Changes

2024-04-17

  • The parser now maps "event_name" from the raw log to the "metadata.product_event_type" field in the UDM.
  • The "act" field is now additionally mapped to "security_result.action_details" in the UDM.

2024-03-29

  • Improved handling of different "cef_event_attributes" formats.
  • Several fields were mapped to new UDM fields for better organization:
  • "log_type" is now "metadata.product_name"
  • "organization" is now "metadata.vendor_name"
  • New fields from the raw logs (like "suer", "suid", "fileHash", etc.) are now mapped to the UDM. A link to a mapping sheet is provided for details.

2024-03-23

  • Enhanced parsing for both "event_attributes" and "cef_event_attributes" formats.
  • The "name" field is now mapped to "security_result.summary" in the UDM.

2024-03-04

  • Added support for parsing CEF format logs.
  • Mapped several fields from the raw logs to corresponding UDM fields, including:
  • "TrendMicroDsFileSHA1" to "target.file.sha1"
  • "msg" to "security_result.description"
  • "result" to "security_result.summary"
  • "filePath" to "target.file.full_path"
  • Multiple fields related to TrendMicro detections are now mapped to "security_result.detection_fields".
  • Improved logic for mapping the "target.hostname" field based on the availability of "dvchost" or "cef_host".

2024-02-13

  • The "target" field is now mapped to "target.hostname" in the UDM.
  • The "usrName" field is now mapped to "principal.user.userid" in the UDM.

2022-09-01

  • Newly created parser.