SIEM Solution Integration With Control Manager

Size: px

Start display at page:

Download "SIEM Solution Integration With Control Manager"

Coleen Randall
5 years ago
Views:

2 Contents Introduction... 3 Overview... 3 Direct Mode... 4 Bridge Mode... 5 Functional Design... 5 SNMP Trap... 6 Syslog... 6 Log Forwarder Tool... 9 Configure LogForwarder Settings Trigger Application Page 2 of 11 Trend Micro

3 Introduction SNMP and Syslog are the dominating protocols within the current corporate environment. Trend Micro products use these two protocols to send Notifications to the Network Management Systems within corporate IT infrastructures. Control Manager allows you to use in-house or industry-standard applications to notify selected recipients about events detected by managed products. In addition, Log Forwarder Tool can send syslog from the Control Manager database to a syslog server. It supports both ArcSight Common Event Format (CEF) and Control Manager (CM) format. Overview Corporate customers have their own IT infrastructure setup and they most likely have their own Network Management System (NMS). They have implemented their own notification gateways that send out notifications via mail or SMS to their IT administrators when there are urgent issues that need to be addressed. Customers will be able to configure Trend Micro products to leverage their existing implementations. The integration of the products with existing IT infrastructure in the corporate environment provides an enhanced user experience for customers. Currently, there are several Trend Micro products that use either SNMP or syslog, or even both. However, there is no standard schema and there are conflicting instances when using OID in Trend s SNMP. For products that do not send out SNMP and syslog on their own, they can send the SNMP and syslog content to TMCM, which in turn sends the content to the NMS. The following scenarios illustrate how SNMP and syslog are sent to the NMS: Page 3 of 11 Trend Micro

Direct Mode Products send out their SNMP and syslog to the NMS directly. When the product sends the SNMP and syslog directly to the NMS, it minimizes the latency of the notification.

4 Direct Mode Products send out their SNMP and syslog to the NMS directly. When the product sends the SNMP and syslog directly to the NMS, it minimizes the latency of the notification. But the schema and format of the SNMP and syslog might be inconsistent. Also, these topologies require that each product implement the syslog and SNMP. Hopefully, these are implemented consistently. Page 4 of 11 Trend Micro

5 Bridge Mode Products send logs to TMCM. TMCM then sends the SNMP or syslog to the NMS. This topology is preferred by Trend Micro. Here, the SNMP and syslog will be consistent as they will use the format used by TMCM. Also consider that in some situations, an extremely large amount of notification may generate that causes performance issues for TMCM. We suggest monitoring the amount of notifications sent out. If the SIEM application is receiving a delay, you may consider using the Direct Mode if the Trend Micro product is able to support it. Functional Design Customer can configure SNMP and Syslog setting for Control Manager (CM) format from TMCM management console. In addition, Log Forwarder tool can send syslog for both ArcSight Common Event Format (CEF) and Control Manager (CM) format. Page 5 of 11 Trend Micro

6 SNMP Trap SNMP Trap sends a notification using Simple Network Management Protocol. Control Manager stores notifications in Management Information Bases (MIBs) and MIB browsers are used to view the SNMP notification. The SNMP will be sent via Net-SNMP. This library implements SNMP V2c. The SNMP MIB file is located in \Control Manager\WebUI\Download\Tools\cm2_mib.zip. The following are the thought of priority when this SNMP was designed: No conflict with the current SNMP schema of Trend Micro products Defined MIB fields Notification message schema should be ready to be re-used b different products Minimize the need for new products to re-invent their own message Enhance consistency and predictability for customers and better interoperability with NMS Procedure via Web UI 1. Go to Notifications > Notification Method Settings 2. The Notification Method Settings screen appears. 3. In the SNMP Trap Settings section, specify the following: Community name: Type the SNMP community name. Server IP address: Type the IPv4 or IPv6 address of the SNMP server. 4. Click Save. Syslog This notification was first introduced in TMCM 5.0. CISCO Security Monitoring, Analysis and Response System (MARS) is one of the supported products for this method and it is implemented for the following products - IMSS, IWSS, ISVW, and OSCE. The following are the characteristics of the syslog message: Easier regular expression parsing Enhanced readability Uses the name value pair name = value Follows RFC 3164 for syslog format Applies ISO 8601 time format Maintains the same event ID with the SNMP message for better consistency Page 6 of 11 Trend Micro

7 Procedure via Web UI 1. Go to Notifications > Notification Method Settings 2. The Notification Method Settings screen appears. 3. In the Syslog Settings section, specify the following: Server IP address: Type the IPv4 or IPv6 address of the syslog server. Port: The port number of the syslog server. Facility: Select the facility code. Add multiple syslog servers using the add icon if you have. 4. Click Save. The table below shows the TMCM Notifications section you are able to send syslog. Not all notifications in TMCM are able to be sent via syslog. Group Events Support Syslog Advanced Threat Activity C&C Callback alert C&C Callback outbreak alert N Correlated Incident Detections N Messages with Advanced N Threats High Risk Virtual Analyzer N Detections High Risk Host Detections N Known Targeted Attack Behavior N Potential Document Exploit N Detections Rootkit or Hacking Tool Detections N SHA-1 Deny List Detections N Worm or File Infector Propagation N Detections Content Policy Violation Policy Violation Web Access Security Violation Data Loss Prevention Incident Details Updated N Scheduled Incident Summary N Significant Incident Increase N Significant Incident Increase by N Channel Significant Incident Increase by N Sender Significant Incident Increase by N User Significant Template Match N Increase Known Threat Activity Network Virus Alert Special Spyware/Grayware Alert Special Virus Alert Spyware/Grayware Found - Action Successful Page 7 of 11 Trend Micro

Spyware/Grayware Found - Further Action Required Virus Found - First Action Successful Virus Found - First Action Unsuccessful and Second Action Unavailable Virus Found - First and Second Actions

8 Spyware/Grayware Found - Further Action Required Virus Found - First Action Successful Virus Found - First Action Unsuccessful and Second Action Unavailable Virus Found - First and Second Actions Unsuccessful Virus Found - Second Action Successful Virus Outbreak Alert Network Access Control Network VirusWall Policy Violations N Potential Vulnerability Attacks Unusual Product Behavior Managed Product Unreachable N Product Service Started Product Service Stopped Real-time Scan Disabled Real-time Scan Enabled Updates Antispam Rule Update Successful Antispam Rule Update Unsuccessful Pattern File/Cleanup Template Update Successful Pattern File/Cleanup Template Update Unsuccessful Scan Engine Update Successful Scan Engine Update Unsuccessful When you click the event link in Event Notifications, you can check if Syslog is supported. Click In addition, Log Forwarder Tool can also send syslog with ArcSight Common Event Format (CEF) format. Please refer to the Log Forwarder Tool section to understand more about this tool. Page 8 of 11 Trend Micro

9 Log Forwarder Tool Log Forwarder Tool can send several log types from the Control Manager database to a syslog server in either ArcSight Common Event Format (CEF) or Control Manager (CM) format. The following are the types of logs the Log Forwarder Tool supports: Log Types CEF Log Format Support TMCM Log Format Support Behavior Monitoring es es C&C Callback es No Data Loss Prevention es es Device Access Control es es Engine Update Status es es Suspicious File es No Network Content Inspection es No Virus/Malware es No Pattern Update Status es es Content Security es No Spyware/Grayware es No Web Security es No Predictive Learning Machine es No Endpoint Application Control* es No Sandbox Detection Logs* es No * Means it is available after TMCM 7.0 Patch 1. Note: Trend Micro Control Manager 7.0 discontinues support for the DataExport Tool. Administrators should use the LogForwarder Tool (LogForwarder.exe). The LogForwarder Tool only supports UDP protocol. Page 9 of 11 Trend Micro

$Configure LogForwarder Settings Procedure 1. Go to the Control Manager installation directory. By default, the installation directory is C:\Program Files (x86)\trend Micro\Control Manager. 2.$

10 Configure LogForwarder Settings Procedure 1. Go to the Control Manager installation directory. By default, the installation directory is C:\Program Files (x86)\trend Micro\Control Manager. 2. Execute the LogForwarder.exe file using administrator rights (Run as administrator) to open the LogForwarder console. 3. Configure the Log Receiver settings. IP address: Syslog server IP address Port: Syslog server port number Facility: Facility code of the syslog message Severity: Severity level of the syslog message (Optional) Do not ping the server before establishing a connection: Select to send the syslog message without having to ping the destination server first 4. Configure the Log Forwarding Settings. Frequency: The frequency in which the tool sends logs Format: Select whether to use CEF or Control Manager log format Logs to forward: Select the log types to forward to Control Manager 5. Click Start. Note: After the Control Manager service restarts successfully, the tool continues to run in the backend until users reopen the LogForwarder console and click Stop. Page 10 of 11 Trend Micro

The following are the examples of what the CM format logs and CEF logs look like: CM format In CM format, the column name is from CM string table, and it is more readable.

Trigger Application Control Manager allows you to use in-house or industry-standard applications to notify selected recipients about events detected by managed products.

11 The following are the examples of what the CM format logs and CEF logs look like: CM format In CM format, the column name is from CM string table, and it is more readable. CEF format CEF uses common fields defined in CEF format. This format is mainly used by ArcSight for logging event data. Trigger Application Control Manager allows you to use in-house or industry-standard applications to notify selected recipients about events detected by managed products. For example, if your organization uses a batch file that executes the net send command, you can use the Notification Method Settings screen to provide the credentials for a user account with the necessary privileges. Procedure via Web UI 1. Go to Notifications > Notification Method Settings 2. The Notification Method Settings screen appears. 3. In the Trigger Application Settings section, select Use a specified user to trigger the application. 4. Type the user name and password for an account with the privileges required by the trigger application. 5. Click Save. Page 11 of 11 Trend Micro

Copyright 2014 Trend Micro Incorporated. All rights reserved.

Copyright 2014 Trend Micro Incorporated. All rights reserved. Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent