av.trendmicro
Introduction
The tags beginning with av.trendmicro
identify events generated by Trend Micro.
Valid tags and data tables
The full tag must have at least 4 levels. The first two are fixed as av.trendmicro
. The third level identifies the type of events sent, and the fourth and fifth levels indicate the event subtypes.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Trend Micro Deep Security |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
Logs generated by Trend Micro must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
You will need to set up a rule on the relay to correctly process and forward the events received from Trend Micro. In the example below, you should use any port that you can dedicate to these events.
Trend Micro Deep Security (Agent|Manager) - LEEF Format
Source port - Customer source port, for example
13006
Source message -
Deep Security (Manager|Agent)
Source tag -
LEEF
Target tag -
av.trendmicro.deepsec.\\m1.leef
Sent without syslog tag - ✓
Is prefix - ✓
Stop processing - ✓
Trend Micro Deep Security (Agent|Manager) - CEF Format
Source port - Customer source port, for example
13006
Source message -
Deep Security (Agent|Manager)
Source tag -
CEF
Target Tag -
av.trendmicro.deepsec.\\m1.cef
Stop processing -
True
Table structure
These are the fields displayed in these tables: