Collect Trend Micro Deep Security logs

This document describes how you can collect the Trend Micro Deep Security logs using Google Security Operations. This parser the logs, which can be in either LEEF+CEF or CEF format, into a unified data model (UDM). It extracts fields from the log messages using grok patterns and key-value pairs, then maps them to corresponding UDM fields, handling various data cleaning and normalization tasks along the way.

Before you begin

• Ensure that you have a Google SecOps instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to TrendMicro Deep Security console.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where BindPlane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

Windows Installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux Installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional Installation Resources

• For additional installation options, consult this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       udplog:
           # Replace the below port <54525> and IP <0.0.0.0> with your specific values
           listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: trendmicro_deep_security
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - udplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart BindPlane Agent to apply the changes

• In Linux, to restart the BindPlane Agent, run the following command:

  sudo systemctl restart bindplane-agent
  

• In Windows, to restart the BindPlane Agent, you can either use the Services console or enter the following command:

  net stop BindPlaneAgent && net start BindPlaneAgent
  

Configure Syslog in TrendMicro Deep Security

1. Sign in to TrenMicro Deep Security console.
2. Go to Policies > Common Objects > Other > Syslog Configurations.
3. Click New > New Configuration.
4. Provide the following details for the configuration:
   • Name: unique name that identifies the configuration (for example, Google SecOps Bindplane)
   • Optional: Description: add a description.
   • Log Source Identifier: specify an identifier to use instead of Deep Security Manager's hostname, if desired.
   • Server Name: enter the hostname or IP address of the Syslog server (Bindplane).
   • Server Port: specify the listening port number on the server (Bindplane).
   • Transport: select UDP as the transport protocol.
   • Event Format: select LEEF or CEF (LEEF format requires that you set Agents should forward logs to Via the Deep Security Manager).
   • Optional: Include time zone in events: whether to add the full date (including year and time zone) to the event.
   • Optional: Agents should forward logs: select Via the Deep Security Manager if logs are formatted with LEEF.
5. Click Apply to finalize the settings.

Configure Security Events forwarding

1. Go to Policies and select the policy applied to the computers you want to configure.
2. Click Details.
3. In the Policy editor window, click Settings > Event Forwarding.
4. From the Period between sending of events section, set the period value to a time period between 10 and 60 seconds.
   • The default value is 60 seconds, and the recommended value is 10 seconds.
5. For each of these protection modules:
   • Anti-Malware Syslog Configuration
   • Web reputation Syslog Configuration
   • Firewall
   • Intrusion prevention Syslog Configuration
   • Log inspection and Integrity monitoring Syslog Configuration
6. Select the syslog configuration to use from the context menu:
   • Syslog Configuration Name: Select the appropriate configuration.
7. Click Save to apply the settings.

Configure System Events forwarding

1. Go to Administration > System Settings > Event Forwarding.
2. From Forward System Events to a remote computer (via Syslog) using configuration, select the existing configuration created earlier.
3. Click Save.

UDM Mapping Table

Log field	UDM mapping	Logic
act	read_only_udm.security_result.action_details
aggregationType	read_only_udm.additional.fields.value.string_value	Converted to string.
cat	read_only_udm.security_result.category_details
cef_host	read_only_udm.target.hostname read_only_udm.target.asset.hostname	Used as hostname if dvchost is empty.
cn1	read_only_udm.target.asset_id	Prefixed with "Host Id:".
cs1	read_only_udm.security_result.detection_fields.value
cs1Label	read_only_udm.security_result.detection_fields.key
cs2	read_only_udm.target.file.sha1 read_only_udm.security_result.detection_fields.value	Converted to lowercase and mapped to sha1 if cs2Label is "sha1", otherwise mapped to detection_fields.
cs2Label	read_only_udm.security_result.detection_fields.key
cs3	read_only_udm.target.file.md5 read_only_udm.security_result.detection_fields.value	Converted to lowercase and mapped to md5 if cs3Label is "md5", otherwise mapped to detection_fields.
cs3Label	read_only_udm.security_result.detection_fields.key
cs5	read_only_udm.security_result.detection_fields.value
cs5Label	read_only_udm.security_result.detection_fields.key
cs6	read_only_udm.security_result.detection_fields.value
cs6Label	read_only_udm.security_result.detection_fields.key
cs7	read_only_udm.security_result.detection_fields.value
cs7Label	read_only_udm.security_result.detection_fields.key
cnt	read_only_udm.additional.fields.value.string_value	Converted to string.
desc	read_only_udm.metadata.description
dst	read_only_udm.target.ip read_only_udm.target.asset.ip
dstMAC	read_only_udm.target.mac	Converted to lowercase.
dstPort	read_only_udm.target.port	Converted to integer.
duser	read_only_udm.target.user.user_display_name
dvc	read_only_udm.about.ip
dvchost	read_only_udm.target.hostname read_only_udm.target.asset.hostname
event_id	read_only_udm.metadata.product_event_type	Used as product_event_type if event_name is not empty, otherwise used alone.
event_name	read_only_udm.metadata.product_event_type	Prefixed with "[event_id] - " and used as product_event_type.
fileHash	read_only_udm.target.file.sha256	Converted to lowercase.
filePath	read_only_udm.target.file.full_path	"ProgramFiles\(x86\)" replaced with "Program Files (x86)".
fsize	read_only_udm.target.file.size	Converted to unsigned integer.
hostname	read_only_udm.target.hostname read_only_udm.target.asset.hostname	Used as hostname if target is empty.
in	read_only_udm.network.received_bytes	Converted to unsigned integer.
msg	read_only_udm.security_result.description
name	read_only_udm.security_result.summary
organization	read_only_udm.target.administrative_domain read_only_udm.metadata.vendor_name
proto	read_only_udm.network.ip_protocol	Replaced with "ICMP" if it's "ICMPv6".
product_version	read_only_udm.metadata.product_version
result	read_only_udm.security_result.summary
sev	read_only_udm.security_result.severity read_only_udm.security_result.severity_details	Mapped to severity based on its value, also mapped to severity_details.
shost	read_only_udm.principal.hostname read_only_udm.principal.asset.hostname
src	read_only_udm.principal.ip read_only_udm.principal.asset.ip
srcMAC	read_only_udm.principal.mac	Converted to lowercase.
srcPort	read_only_udm.principal.port	Converted to integer.
suid	read_only_udm.principal.user.userid
suser	read_only_udm.principal.user.user_display_name
target	read_only_udm.target.hostname read_only_udm.target.asset.hostname
timestamp	read_only_udm.metadata.event_timestamp.seconds read_only_udm.metadata.event_timestamp.nanos	Parsed to timestamp.
TrendMicroDsBehaviorType	read_only_udm.security_result.detection_fields.value
TrendMicroDsFileSHA1	read_only_udm.target.file.sha1	Converted to lowercase.
TrendMicroDsFrameType	read_only_udm.security_result.detection_fields.value
TrendMicroDsMalwareTarget	read_only_udm.security_result.detection_fields.value
TrendMicroDsMalwareTargetCount	read_only_udm.security_result.detection_fields.value
TrendMicroDsMalwareTargetType	read_only_udm.security_result.detection_fields.value
TrendMicroDsProcess	read_only_udm.security_result.detection_fields.value	"ProgramFiles\(x86\)" replaced with "Program Files (x86)".
TrendMicroDsTenant	read_only_udm.security_result.detection_fields.value
TrendMicroDsTenantId	read_only_udm.security_result.detection_fields.value
usrName	read_only_udm.principal.user.userid
	read_only_udm.metadata.event_type	Set to "NETWORK_HTTP" if both source and destination are present, otherwise set to "GENERIC_EVENT".
	read_only_udm.metadata.log_type	Set to "TRENDMICRO_DEEP_SECURITY".

Changes

2024-04-17

• The parser now maps "event_name" from the raw log to the "metadata.product_event_type" field in the UDM.
• The "act" field is now additionally mapped to "security_result.action_details" in the UDM.

2024-03-29

• Improved handling of different "cef_event_attributes" formats.
• Several fields were mapped to new UDM fields for better organization:
• "log_type" is now "metadata.product_name"
• "organization" is now "metadata.vendor_name"
• New fields from the raw logs (like "suer", "suid", "fileHash", etc.) are now mapped to the UDM. A link to a mapping sheet is provided for details.

2024-03-23

• Enhanced parsing for both "event_attributes" and "cef_event_attributes" formats.
• The "name" field is now mapped to "security_result.summary" in the UDM.

2024-03-04

• Added support for parsing CEF format logs.
• Mapped several fields from the raw logs to corresponding UDM fields, including:
• "TrendMicroDsFileSHA1" to "target.file.sha1"
• "msg" to "security_result.description"
• "result" to "security_result.summary"
• "filePath" to "target.file.full_path"
• Multiple fields related to TrendMicro detections are now mapped to "security_result.detection_fields".
• Improved logic for mapping the "target.hostname" field based on the availability of "dvchost" or "cef_host".

2024-02-13

• The "target" field is now mapped to "target.hostname" in the UDM.
• The "usrName" field is now mapped to "principal.user.userid" in the UDM.

2022-09-01

• Newly created parser.