av.trendmicro
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with av.trendmicro identify events generated by Trend Micro.
Valid tags and data tables
The full tag must have at least 4 levels. The first two are fixed as av.trendmicro. The third level identifies the type of events sent, and the fourth and fifth levels indicate the event subtypes.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Trend Micro Deep Security |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) |
|
|
How is the data sent to Devo?
Logs generated by Trend Micro must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
You will need to set up a rule on the relay to correctly process and forward the events received from Trend Micro. In the example below, you should use any port that you can dedicate to these events.
Trend Micro Deep Security (Agent|Manager) - LEEF Format
Source port - Customer source port, for example
13006Source message -
Deep Security (Manager|Agent)Source tag -
LEEFTarget tag -
av.trendmicro.deepsec.\\m1.leefSent without syslog tag - ✓
Is prefix - ✓
Stop processing - ✓
Trend Micro Deep Security (Agent|Manager) - CEF Format
Source port - Customer source port, for example
13006Source message -
Deep Security (Agent|Manager)Source tag -
CEFTarget Tag -
av.trendmicro.deepsec.\\m1.cefStop processing -
True
Table structure
These are the fields displayed in these tables: