Trend Micro Deep Security as a Service delivers hosted security capabilities for cloud environments, including proactive intrusion detection and prevention (IDS/IPS), firewall, anti-malware, web reputation, log inspection, and integrity monitoring. You will need perform some configurations on Trendmicro so that you can see the logs from Trendmicro device over the Logsign USO Platform.
Deep Security Configuration
1 . Security Module Event Forwarding
1-1. Log in to Trenmicro and Go to Policies > Details > Settings >SIEM
1-2. Fill the required information and configure. You can let other fields which is not indicated as default. After that click "SAVE"
2. System Event Notification Forwarding
After these processes, you'll add the source to view logs from the Trendmicro Deep Security device from the Logsign USO Platform.
Open the Logsign USO Platform WEB interface and click on the "+ Device" button under the Data Collection tab, which is then clicked on the Settings tab in the menu bar on the top of the page. In the Source Type Selection page, choose Syslog as the method. After that, Trendmicro is selected as Vendor information, and then Deep Security is specified in the Product Selection section. There is some information about the source that you want to add on the page:
Host: IP address information of the Deep Security product that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.
Data Policy: As a definition, you can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. The default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign USO Platform product takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tick this box, that will inform you about the service and operability of the Logsign USO Platform product. The Health Check Period tab will come up when the box is ticked. This part is the time interval information to be checked.
Device Name: You must enter a descriptive name according to the configuration you are making (For ex., Trendmicro-DeepSec). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple Deep Security and define each tag as DeepSec1 or DeepSec2. If you want to query about an event, you will get a shorter result when you search according to DeepSec1 name.
After filling the Tag section, click on the Save button to add the Trend Micro Deep Security device to which you've configured the source.