Trend Micro Cloud One is a strong enterprise data security solution for data centers and cloud environments. Trend Micro’s advantages, like most other security tools, lie in its pairing with other security resources. That’s where Logz.io comes in. It brings together disparate data that Trend Micro tracks to create fully summarized dashboards and extremely detailed ones with specific focuses.
Logz.io Cloud SIEM augments Trend Micro’s strengths by bringing together and syncing all the data the former collects. That makes it easy to correlate and prioritize events. Logz.io Cloud SIEM will automatically parse Trend Micro logs, then enrich them with security data. Together, Trend Micro Cloud One and Logz.io Cloud SIEM are a natural match.
Rules and Dashboards
Logz.io maintains five rules for Trend Micro Deep Security: reconnaissance detection, malware detection, and suspicious files or processes or domains. By default, all these rules monitor for a single incident, though this is configurable. Likewise, the time frame for detecting multiple incidents is also configurable. Additionally, you can launch Trend Micro’s own sets of preconfigured rules to suit your needs.
Ship Trend Micro Logs to Logz.io
There are three prereqs you’ll need: 1) Trend Micro Cloud One credentials, 2) Filebeat, and 3) root access.
You’ll need these in order to install the Trend Micro certificate in Filebeat:
sudo mkdir /etc/filebeat/certificates sudo openssl req -newkey rsa:2048 -nodes \ -keyout /etc/filebeat/certificates/Trendmicro.key -x509 \ -days 365 \ -out /etc/filebeat/certificates/Trendmicro.crt
Then, for HTTPS shipping, download the Logz.io cert:
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Copy and paste the following configuration:
# ... filebeat.inputs: - type: tcp max_message_size: 10MiB host: "0.0.0.0:1514" ssl.enabled: true ssl.certificate: "/etc/filebeat/certificates/Trendmicro.crt" ssl.key: "/etc/filebeat/certificates/Trendmicro.key" ssl.verification_mode: none fields: logzio_codec: json token: <> type: trendmicro_deep fields_under_root: true filebeat.registry.path: /var/lib/filebeat #The following processors are to ensure compatibility with version 7 processors: - rename: fields: - from: "agent" to: "beat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true
Also add the following for the output in the same config file:
# ... output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
<<LISTENER-HOST>> with the appropriate values in the above snippets. Then double-check that Logz.io is the only output in the configuration file.
Configure Trend Micro Agents
Next, configure Trend Micro to forward its logs to Filebeat via the Trend Micro Cloud One console. You can get that info in Logz.io Docs.
To activate syslog forwarding, configure the agents by opening the
Policies tab and select the relevant policy. On that form, select
Setting (to the left) and then select
Event Forwarding at the top. From there, choose the syslog policies you want.
While you can create your own, Logz.io has set up three prefabricated Trend Micro dashboards.
Dashboard 1 – Trend Micro Summary
The summary dash will cover logs from the system, firewall, integrity monitor, anti-malware, and the log inspector itself. In this middle of the dash, you can see events organized by severity. You can also isolate kinds of logs via the filter directly beneath that chart,
Dashboard 2 – Malware Activity
This one monitors logs related to top infected hosts, results by classification, and tracking spikes in anti-malware logging. You also have the option to filter your information and to look at data according to specific, saved searches.
The top left graph covers the most infected hosts, displayed in a staggered bar chart. To the right at the top, you can drill down to see which viruses appear the most in the donut chart above, or in the tag cloud immediately below it.
In the view of the donut graphic below, you can see a breakdown of the most common trojan viruses, as well as a percentage with their names. In the case of this sample, the
HKTL_MMKATZ_component appears the most in our logs at 25 percent.
Dashboard 3 – Network Monitoring
Similar to the malware dashboard, the network dash focuses on top hosts by malicious browsing, the top domains, and the network logs over time.
Utilizing Logz.io to augment and analyze Trend Micro Cloud One’s data, it becomes easier to zero in on important log events. This feature works well with our many other integrations as well, such as with ESET, Hashicorp Vault, and Palo Alto Networks.
To learn more about Logz.io Cloud SIEM, check out the product page.