Collect Trend Micro Deep Security logs

Supported in:

Google secops SIEM

This document explains how to ingest Trend Micro Deep Security logs to Google Security Operations using Bindplane. Trend Micro Deep Security is a server security platform that provides anti-malware, IPS, firewall, integrity monitoring, log inspection, and application control for physical, virtual, and cloud workloads. Deep Security is consolidating under the Trend Vision One platform, but the Deep Security Manager continues to generate syslog events for all protection modules.

For more information, see Collect Trend Micro Deep Security logs.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance.
A Windows 2016 or later or Linux host with systemd.
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
Privileged access to the Trend Micro Deep Security Manager web console with administrator or auditor role.
Deep Security Manager 20.0 or later.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agent.
Download the Ingestion Authentication File.
- Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" /quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL [https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh](https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh))" install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the configuration file:
- Locate the config.yaml file. Typically, it is in the /opt/observiq-otel-collector/config.yaml directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

receivers:
    tcplog:
        listen_address: "0.0.0.0:1514"

exporters:
    chronicle/trendmicro_ds:
        compression: gzip
        creds_file_path: '/path/to/ingestion-authentication-file.json'
        customer_id: '<CUSTOMER_ID>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: TRENDMICRO_DEEP_SECURITY
        raw_log_field: body
        ingestion_labels:

service:
    pipelines:
        logs/trendmicro_ds_to_chronicle:
            receivers:
                - tcplog
            exporters:
                - chronicle/trendmicro_ds

Replace the port and IP address as required in your infrastructure.
Replace <CUSTOMER_ID> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
sudo systemctl restart observiq-otel-collector
```
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```

Configure syslog forwarding on Trend Micro Deep Security

Configure syslog settings in Deep Security Manager

Sign in to the Trend Micro Deep Security Manager web console.
Go to Administration > System Settings > Event Forwarding.
In the SIEM section, select Forward Events to a remote computer (via Syslog).
Click Edit next to the syslog configuration.
Provide the following configuration details:
- Server Name: Enter the IP address of the Bindplane agent host.
- Server Port: Enter 1514 (or your configured port).
- Transport: Select TCP.
- Event Format: Select Common Event Format (CEF).
Note: CEF format is recommended for optimal parsing with Google SecOps.
Click OK to save the syslog server configuration.

Select event types to forward

In the Event Forwarding tab, configure which event types to forward:
- Anti-Malware Events: Select Forward Anti-Malware Events to Syslog.
- Web Reputation Events: Select Forward Web Reputation Events to Syslog.
- Firewall Events: Select Forward Firewall Events to Syslog.
- Intrusion Prevention Events: Select Forward Intrusion Prevention Events to Syslog.
- Integrity Monitoring Events: Select Forward Integrity Monitoring Events to Syslog.
- Log Inspection Events: Select Forward Log Inspection Events to Syslog.
- Application Control Events: Select Forward Application Control Events to Syslog.
- System Events: Select Forward System Events to Syslog.
Click Save.

Configure policy-level syslog (optional)

If you need to configure syslog forwarding for specific policies:

Go to Policies.
Double-click the policy you want to configure.
Go to Settings > Event Forwarding.
For each protection module, you can override the global syslog settings:
- Select Inherit to use the global setting.
- Select Yes to enable syslog forwarding for the specific policy.
- Select No to disable syslog forwarding for the specific policy.
Click Save.

Verify syslog forwarding

In the Deep Security Manager, go to Events & Reports > Events.
Verify that security events are being generated.
Check the Bindplane agent logs to confirm that syslog messages are being received on the TCP listener:
```
sudo journalctl -u observiq-otel-collector -f
```

For more information, see Trend Micro Deep Security syslog documentation.

UDM mapping table

Log Field	UDM Mapping	Logic
`dvc`	`about.ip`	Merged
`aggregation_type_label`	`additional.fields`	Merged
`cn1Label`	`additional.fields`	Mapped: `Host ID` → `cn1_label`
`cn1_label`	`additional.fields`	Merged
`fileInCompressedFile_label`	`additional.fields`	Merged
`repeat_count_label`	`additional.fields`	Merged
`cef_host`	`intermediary.hostname`	Directly mapped
`hostname`	`intermediary.hostname`	Directly mapped
`cef_host`	`intermediary.ip`	Merged
`hostname`	`intermediary.ip`	Merged
`desc`	`metadata.description`	Directly mapped
`timestamp`	`metadata.event_timestamp`	Parsed as `ISO8601`
`has_principal`	`metadata.event_type`	Mapped: `true` → `NETWORK_HTTP`, `true` → `STATUS_UPDATE`
`TrendMicroDsTenant`	`metadata.product_deployment_id`	Directly mapped
`event_id`	`metadata.product_event_type`	Directly mapped
`log_type`	`metadata.product_name`	Directly mapped
`product_version`	`metadata.product_version`	Directly mapped
`organization`	`metadata.vendor_name`	Directly mapped
`proto`	`network.ip_protocol`	Mapped: `ICMPv6` → `ICMP`
`in`	`network.received_bytes`	Renamed/mapped
`out`	`network.sent_bytes`	Renamed/mapped
`dvchost`	`principal.asset.hostname`	Directly mapped
`shost`	`principal.asset.hostname`	Directly mapped
`src`	`principal.asset.ip`	Merged
`dvchost`	`principal.hostname`	Directly mapped
`shost`	`principal.hostname`	Directly mapped
`src`	`principal.ip`	Merged
`smac`	`principal.mac`	Merged
`srcMAC`	`principal.mac`	Merged
`spt`	`principal.port`	Directly mapped
`srcPort`	`principal.port`	Directly mapped
`TrendMicroDsProcessPid`	`principal.process.pid`	Directly mapped
`suser`	`principal.user.user_display_name`	Directly mapped
`suid`	`principal.user.userid`	Directly mapped
`usrName`	`principal.user.userid`	Directly mapped
`action`	`security_result.action`	Merged
`act`	`security_result.action_details`	Directly mapped
`result`	`security_result.action_details`	Directly mapped
`cat`	`security_result.category_details`	Merged
`msg`	`security_result.description`	Directly mapped
`TrendMicroDsPacketData_label`	`security_result.detection_fields`	Merged
`behaviour_type_field`	`security_result.detection_fields`	Merged
`cn3_label`	`security_result.detection_fields`	Merged
`count_label`	`security_result.detection_fields`	Merged
`cs1_label`	`security_result.detection_fields`	Merged
`cs2_label`	`security_result.detection_fields`	Merged
`cs3_label`	`security_result.detection_fields`	Merged
`cs4_label`	`security_result.detection_fields`	Merged
`cs5_label`	`security_result.detection_fields`	Merged
`cs6_label`	`security_result.detection_fields`	Merged
`cs7_label`	`security_result.detection_fields`	Merged
`frame_type_field`	`security_result.detection_fields`	Merged
`malware_target`	`security_result.detection_fields`	Merged
`process_label`	`security_result.detection_fields`	Merged
`target_type`	`security_result.detection_fields`	Merged
`tenant_field`	`security_result.detection_fields`	Merged
`tenant_id_field`	`security_result.detection_fields`	Merged
`sev`	`security_result.severity`	Mapped: `"0", "1", "2", "3", "LOW"` → `LOW`, `"4", "5", "6", "MEDIUM"` → `MEDIUM`, `"7", "8"...
`sev`	`security_result.severity_details`	Directly mapped
`name`	`security_result.summary`	Directly mapped
`result`	`security_result.summary`	Directly mapped
`event_name`	`security_result.threat_name`	Directly mapped
`organization`	`target.administrative_domain`	Directly mapped
`cef_host`	`target.asset.hostname`	Directly mapped
`hostname`	`target.asset.hostname`	Directly mapped
`target`	`target.asset.hostname`	Directly mapped
`dst`	`target.asset.ip`	Merged
`filePath`	`target.file.full_path`	Directly mapped
`cs3`	`target.file.md5`	Directly mapped
`TrendMicroDsFileSHA1`	`target.file.sha1`	Directly mapped
`cs2`	`target.file.sha1`	Directly mapped
`fileHash`	`target.file.sha256`	Directly mapped
`cn2`	`target.file.size`	Renamed/mapped
`fsize`	`target.file.size`	Renamed/mapped
`cef_host`	`target.hostname`	Directly mapped
`hostname`	`target.hostname`	Directly mapped
`target`	`target.hostname`	Directly mapped
`dst`	`target.ip`	Merged
`dmac`	`target.mac`	Merged
`dstMAC`	`target.mac`	Merged
`dpt`	`target.port`	Directly mapped
`dstPort`	`target.port`	Directly mapped
`duser`	`target.user.user_display_name`	Directly mapped
N/A	`metadata.event_type`	Constant: `NETWORK_HTTP`
N/A	`network.ip_protocol`	Constant: `ICMP`
N/A	`security_result.severity`	Constant: `LOW`

Need more help? Get answers from Community members and Google SecOps professionals.