av.trendmicro

Introduction

The tags beginning with av.trendmicro identify events generated by Trend Micro.

Valid tags and data tables

The full tag must have 5 levels. The first two are fixed as av.trendmicro The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology	Brand	Type	Subtype 1	Subtype 2

Technology	Brand	Type	Subtype 1	Subtype 2
av	trendmicro	deepsec	agent	cef leef
av	trendmicro	deepsec	manager	cef leef

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag	Data table

Tag	Data table
av.trendmicro.deepsec.agent.cef	av.trendmicro.deepsec.agent
av.trendmicro.deepsec.agent.leef	av.trendmicro.deepsec.agent
av.trendmicro.deepsec.manager.cef	av.trendmicro.deepsec.manager
av.trendmicro.deepsec.manager.leef	av.trendmicro.deepsec.manager

How is the data sent to Devo?

Logs generated by Trend Micro must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

You will need to set up a rule on the relay to correctly process and forward the events received from Trend Micro. In the example below, you should use any port that you can dedicate to these events.

Trend Micro Deep Security (Agent|Manager)

Rules	Relay screenshot

Rules

Relay screenshot

LEEF Format

Source Port → Customer source port, for example 13006
Source message → Deep Security (Manager|Agent)
Source tag → LEEF
Target Tag → av.trendmicro.deepsec.\\m1.leef
Sent without syslog tag → True
Is Prefix → False (by default)
Stop processing → True

Trend Micro Deep Security (Agent|Manager)

Rules	Relay screenshot

Rules

Relay screenshot

CEF Format

Source Port → Customer source port, for example 13006
Source message → Deep Security (Agent|Manager)
Source tag → CEF
Target Tag → av.trendmicro.deepsec.\\m1.cef
Sent without syslog tag → False
Is Prefix → False (by default)
Stop processing → True