Secure Your Endpoints with Trend Micro & Logz.io

Trend Micro & Logz.io

Trend Micro Cloud One is a strong enterprise data security solution for data centers and cloud environments. Trend Micro’s advantages, like most other security tools, lie in its pairing with other security resources. That’s where Logz.io comes in. It brings together disparate data that Trend Micro tracks to create fully summarized dashboards and extremely detailed ones with specific focuses.

Logz.io Cloud SIEM augments Trend Micro’s strengths by bringing together and syncing all the data the former collects. That makes it easy to correlate and prioritize events. Logz.io Cloud SIEM will automatically parse Trend Micro logs, then enrich them with security data. Together, Trend Micro Cloud One and Logz.io Cloud SIEM are a natural match.

Rules and Dashboards

Logz.io maintains five rules for Trend Micro Deep Security: reconnaissance detection, malware detection, and suspicious files or processes or domains. By default, all these rules monitor for a single incident, though this is configurable. Likewise, the time frame for detecting multiple incidents is also configurable. Additionally, you can launch Trend Micro’s own sets of preconfigured rules to suit your needs.

Ship Trend Micro Logs to Logz.io

There are three prereqs you’ll need: 1) Trend Micro Cloud One credentials, 2) Filebeat, and 3) root access.

You’ll need these in order to install the Trend Micro certificate in Filebeat:

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/Trendmicro.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/Trendmicro.crt

Then, for HTTPS shipping, download the Logz.io cert:

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Copy and paste the following configuration:

# ...
filebeat.inputs:
- type: tcp
  max_message_size: 10MiB
  host: "0.0.0.0:1514"
  ssl.enabled: true
  ssl.certificate: "/etc/filebeat/certificates/Trendmicro.crt"
  ssl.key: "/etc/filebeat/certificates/Trendmicro.key"
  ssl.verification_mode: none
  fields:
    logzio_codec: json
    token: <>
    type: trendmicro_deep
  fields_under_root: true
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true

Also add the following for the output in the same config file:

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace <<SHIPPING-TOKEN>> and <<LISTENER-HOST>> with the appropriate values in the above snippets. Then double-check that Logz.io is the only output in the configuration file.

Configure Trend Micro Agents

Next, configure Trend Micro to forward its logs to Filebeat via the Trend Micro Cloud One console. You can get that info in Logz.io Docs.

To activate syslog forwarding, configure the agents by opening the Policies tab and select the relevant policy. On that form, select Setting (to the left) and then select Event Forwarding at the top. From there, choose the syslog policies you want.

While you can create your own, Logz.io has set up three prefabricated Trend Micro dashboards.

Dashboard 1 – Trend Micro Summary

Logz.io Summary Dashboard for Trend Micro

Logz.io Summary Dashboard for Trend Micro

The summary dash will cover logs from the system, firewall, integrity monitor, anti-malware, and the log inspector itself. In this middle of the dash, you can see events organized by severity. You can also isolate kinds of logs via the filter directly beneath that chart,

Dashboard 2 – Malware Activity

Trend Micro Malware Activity Dashboard in Logz.io

Trend Micro Malware Activity Dashboard in Logz.io

This one monitors logs related to top infected hosts, results by classification, and tracking spikes in anti-malware logging. You also have the option to filter your information and to look at data according to specific, saved searches.

The top left graph covers the most infected hosts, displayed in a staggered bar chart. To the right at the top, you can drill down to see which viruses appear the most in the donut chart above, or in the tag cloud immediately below it.

In the view of the donut graphic below, you can see a breakdown of the most common trojan viruses, as well as a percentage with their names. In the case of this sample, the HKTL_MMKATZ_component appears the most in our logs at 25 percent.

Dashboard 3 – Network Monitoring

Trend Micro Network Monitoring Dashboard in Logz.io

Trend Micro Network Monitoring Dashboard in Logz.io

Similar to the malware dashboard, the network dash focuses on top hosts by malicious browsing, the top domains, and the network logs over time.

Utilizing Logz.io to augment and analyze Trend Micro Cloud One’s data, it becomes easier to zero in on important log events. This feature works well with our many other integrations as well, such as with ESET, Hashicorp Vault, and Palo Alto Networks.

To learn more about Logz.io Cloud SIEM, check out the product page.

Stay updated with us!

By submitting this form, you are accepting our Terms of Use and our Privacy Policy

Thank you for subscribing!

Internal