Document toolboxDocument toolbox

av.trendmicro

Introduction

The tags beginning with av.trendmicro identify events generated by Trend Micro.

Valid tags and data tables

The full tag must have at least 4 levels. The first two are fixed as av.trendmicro. The third level identifies the type of events sent, and the fourth and fifth levels indicate the event subtypes. 

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Trend Micro Deep Security

av.trendmicro.deepsec.agent

av.trendmicro.deepsec.agent.cef

av.trendmicro.deepsec.agent.leef

av.trendmicro.deepsec.agent

av.trendmicro.deepsec.alerts

av.trendmicro.deepsec.alerts

av.trendmicro.deepsec.antimalwareevents

av.trendmicro.deepsec.antimalwareevents

av.trendmicro.deepsec.console

av.trendmicro.deepsec.console

av.trendmicro.deepsec.firewallevents

av.trendmicro.deepsec.firewallevents

av.trendmicro.deepsec.integrityevents

av.trendmicro.deepsec.integrityevents

av.trendmicro.deepsec.manager

av.trendmicro.deepsec.manager.cef

av.trendmicro.deepsec.manager.leef

av.trendmicro.deepsec.manager

Trend Micro InterScan Web Security Virtual Appliance (IWSVA)

av.trendmicro.iwsva.event

av.trendmicro.iwsva.event

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Trend Micro must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

You will need to set up a rule on the relay to correctly process and forward the events received from Trend Micro. In the example below, you should use any port that you can dedicate to these events.

Trend Micro Deep Security (Agent|Manager) - LEEF Format

  • Source port - Customer source port, for example 13006

  • Source message - Deep Security (Manager|Agent)

  • Source tag - LEEF

  • Target tag - av.trendmicro.deepsec.\\m1.leef

  • Sent without syslog tag -

  • Is prefix -

  • Stop processing -

 

Trend Micro Deep Security (Agent|Manager) - CEF Format

  • Source port - Customer source port, for example 13006

  • Source message - Deep Security (Agent|Manager)

  • Source tag - CEF

  • Target Tag - av.trendmicro.deepsec.\\m1.cef

  • Stop processing - True

 

Table structure

These are the fields displayed in these tables: