Skip to main content

Trend Micro Deep Security

Download With Dependencies

Trend Micro Deep Security provides runtime security for workloads (physical, virtual, cloud, and containers).

Trend Micro Deep Security

What does this pack do?

This pack enables you to:

  • Configure policies and protect computers.
  • Discover vulnerabilities and patch them.
  • Perform routine maintenance tasks.

To use the Trend Deep Security APIs, you will need to create an API key in the Trend Deep Security console.

Trend Micro Deep Security

This pack includes Cortex XSIAM content.

Configuration on Server Side

Browse to the Trend Micro DSM (Deep Security Manager) Web Console, and perform the steps below.

Define a Syslog Configuration

  1. Navigate to PoliciesCommon ObjectsSyslog Configurations.

  2. Click NewNew Configurations.

  3. Configure the following parameters on the General tab:

    Parameter Description
    Name Unique name that identifies the configuration.
    Server Name Hostname or IP address of the XSIAM Broker VM Syslog Server.
    Server Port The target syslog port of the XSIAM Broker VM Syslog Server.
    Event Format Select Common Event Format (CEF).
    Transport Select the transport protocol.
    Include time zone in events Whether to include the year and time zone in the event timestamp (Recommended).
    Facility Type of process that events will be associated with. See Syslog Facilities and Levels.
    Agents should forward logs Whether security events from the DSA (Deep Security Agents) should be sent to the target XSIAM VM Broker directly, or via the DSM.

Please note:

  • Some logging functions are supported only for configurations which are defined to forward the DSA events indirectly via the DSM (and not directly to the syslog server).
  • Traffic should be enabled from the DSM (Deep Security Manager) tenant to the XSIAM Syslog Server for the requested port & protocol. If the (DSA) Deep Security Agents are configured to forward the events directly to the XSIAM server (and not via the DSM), then traffic should be enabled from the agent tenants as well. See Allow event forwarding network traffic for additional details.

For full documentation, see Forward Deep Security events to a Syslog or SIEM server on the Deep Security Help Center page.

Define Event Forwarding

After defining a syslog configuration, you can define event forwarding for the system events and/or security events, using the syslog configuration defined in the previous section. The system events are audit trail events and system alerts that are generated on the DSM, whereas the security events are alerts and notification events that are generated on the DSA from the various Deep Security protection modules. Define forwarding for the requested type of events: system events, security events, or both.

Forward System Events

  1. Navigate to AdministrationSystem Settings.
  2. Click the Event Forwarding tab.
  3. In the SIEM section, in the Forward System Events to a remote computer (via Syslog) using configuration option, select the relevant syslog configuration that was defined for forwarding the events to the XSIAM Broker VM.
  4. Click Save.

For additional details, see Forward system events.

Forward Security Events

  1. Navigate to Policies and double-click the relevant policy which is applied to the monitored agents.
  2. Select Settings on the left navigation pane, and open the Event Forwarding tab.
  3. Under the Event Forwarding Frequency (from the Agent/Appliance) section, select the requested forwarding frequency for the given policy under Period between sending of events.
  4. Under the Event Forwarding Configuration (from the Agent/Appliance) section, for each protection module, select the relevant syslog configuartion for forwarding that module alerts to XSIAM.
  5. Click Save.

For additional details ,see Forward security events.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Right-click, and select Syslog Collector > Configure.
  3. When configuring the Syslog Collector, set the following values:
    | Parameter | Value
    | :--- | :---
    | Protocol | The protocol that was defined in the syslog configuration on the Trend Micro Deep Security Manager Web Console.
    | Port | The port that was defined in the syslog configuration on the Trend Micro Deep Security Manager Web Console.
    | Format | Select CEF.
    | Vendor | Enter TrendMicro.
    | Product | Enter DeepSecurity.

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJuly 13, 2021
Last ReleaseFebruary 29, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.