TrendAI™ Deep Security™ v1.1.8
TrendAI™ Deep Security™ provides runtime security for workloads (physical, virtual, cloud, and containers).
- Author:
- Cortex XSOAR
- Support:
- xsoar
Integrations (1)
Modeling rules (1)
README
TrendAI™ Deep Security™
<~XSOAR>
What does this pack do?
This pack enables you to:
- Configure policies and protect computers.
- Discover vulnerabilities and patch them.
- Perform routine maintenance tasks.
To use the Trend Deep Security APIs, you will need to create an API key in the Trend Deep Security console.
</~XSOAR>
<~XSIAM>
This pack includes Cortex XSIAM content.
Configuration on Server Side
Browse to the Trend Micro DSM (Deep Security Manager) Web Console, and perform the steps below.
Define a Syslog Configuration
- Navigate to Policies → Common Objects → Syslog Configurations.
- Click New → New Configurations.
-
Configure the following parameters on the General tab:
Parameter Description NameUnique name that identifies the configuration. Server NameHostname or IP address of the XSIAM Broker VM Syslog Server. Server PortThe target syslog port of the XSIAM Broker VM Syslog Server. Event FormatSelect Common Event Format (CEF). TransportSelect the transport protocol. Include time zone in eventsWhether to include the year and time zone in the event timestamp (Recommended). FacilityType of process that events will be associated with. See Syslog Facilities and Levels. Agents should forward logsWhether security events from the DSA (Deep Security Agents) should be sent to the target XSIAM VM Broker directly, or via the DSM.
Please note:
- Some logging functions are supported only for configurations which are defined to forward the DSA events indirectly via the DSM (and not directly to the syslog server).
- Traffic should be enabled from the DSM (Deep Security Manager) tenant to the XSIAM Syslog Server for the requested port & protocol. If the (DSA) Deep Security Agents are configured to forward the events directly to the XSIAM server (and not via the DSM), then traffic should be enabled from the agent tenants as well. See Allow event forwarding network traffic for additional details.
For full documentation, see Forward Deep Security events to a Syslog or SIEM server on the Deep Security Help Center page.
Define Event Forwarding
After defining a syslog configuration, you can define event forwarding for the system events and/or security events, using the syslog configuration defined in the previous section. The system events are audit trail events and system alerts that are generated on the DSM, whereas the security events are alerts and notification events that are generated on the DSA from the various Deep Security protection modules. Define forwarding for the requested type of events: system events, security events, or both.
Forward System Events
- Navigate to Administration → System Settings.
- Click the Event Forwarding tab.
- In the SIEM section, in the Forward System Events to a remote computer (via Syslog) using configuration option, select the relevant syslog configuration that was defined for forwarding the events to the XSIAM Broker VM.
- Click Save.
For additional details, see Forward system events.
Forward Security Events
- Navigate to Policies and double-click the relevant policy which is applied to the monitored agents.
- Select Settings on the left navigation pane, and open the Event Forwarding tab.
- Under the Event Forwarding Frequency (from the Agent/Appliance) section, select the requested forwarding frequency for the given policy under Period between sending of events.
- Under the Event Forwarding Configuration (from the Agent/Appliance) section, for each protection module, select the relevant syslog configuartion for forwarding that module alerts to XSIAM.
- Click Save.
For additional details ,see Forward security events.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Right-click, and select Syslog Collector > Configure.
-
When configuring the Syslog Collector, set the following values:
Parameter Value ProtocolThe protocol that was defined in the syslog configuration on the TrendAI™ Deep Security™ Manager Web Console. PortThe port that was defined in the syslog configuration on the TrendAI™ Deep Security™ Manager Web Console. FormatSelect CEF. VendorEnter TrendMicro. ProductEnter DeepSecurity.
</~XSIAM>