Accenture MDR Quick Start Guide for Trend Micro™ Deep Security

This quick start guide will help Accenture MDR customers configure Trend Micro™ Deep Security to send logs to the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Trend Micro Deep Security

LCP

514 (UDP)

Default port

Configuring Trend Micro Deep Security

To configure the Deep Security to collect logs, perform the following steps.

  1. Login to the Deep Security web console.

  2. On the Home page, click the Policies tab.

  3. On the Policies tab, on the left panel, click Policies.

  4. Right-click the policy to be assigned to monitored computers, for example, Accenture Security MDR, and then click Details.

5. In the Policy Editor screen, on the left panel, click Settings.

6. In Settings, click the Event Forwarding tab.

7. On the Event Forwarding tab, under Event Forwarding Frequency, set the period between event sending as any value between 10 and 60 seconds. The default value is 60 seconds, but we recommend 10 seconds.

 8. Under Event Forwarding configuration, set the Anti-Malware Event Forwarding, Web Reputation Event Forwarding, and Firewall and Intrusion Prevention Event Forwarding, Log Inspection and Integrity Monitoring Syslog Configuration, using following settings:

  • Enter the Name of the Configuration.

  • In the Server Name text box, type the LCP Server.

  • In the UDP port text box, type the UDP port. The default value is 514.

  • From the Syslog Facility drop-down list, select any local facility number.

  • Choose the Agent configuration as Directly to the Syslog Server.

Note: For the event forwarding from the agent configuration we can select any option like  Via the Deep security Manager or Directly to the syslog server. It is preferred to use “Relay via Manager” option should to be selected because “Direct Forward” may not give all the info..

             

  • Select the Common Event Format  from the Event Format drop-down list.

9. Click ok to save the configuration.

Assigning the policy to computers

Assign the newly created policy to monitored computers. When the policy is assigned, Deep Security sends it to the agent or Deep Security Virtual Appliance (DSVA) on the computer.

The status should be Managed (Online) for proper communication between the Agent and Manager.

Note: While settings applied directly to a computer via Computer Editor will override assigned policy settings, we do not recommend it.

 To assign the policy, follow the steps below.

  1. In the Deep Security Web console, click the Computers tab.

  2. Locate the computer to receive the policy, then right-click it and select Actions Assign Policy….

  3. Select the newly created policy and click OK.

Testing the SIEM settings

Test the policy assignment to ensure that the policy settings are properly applied and not being overridden.

 To test the SIEM settings, follow the steps below.

  1. In the Deep Security Web console, click the Computers tab.

  2. Right-click the computer that received the policy and select Details.

  3. In Computer Editor, click Settings > SIEM.

  4. Check all of the subsections to ensure that each retains the settings you configured when you created the policy.

Note: Ensure that you select the Use Inherited Settings option as it would inherit the settings defined in the policy. If this option is not selected, syslog settings can be overridden on per computer basis which is not recommended because of overhead.

 After this procedure, all events will be forwarded to the LCP.

Forwarding system events

Next, configure System Event forwarding by following the steps below. 

  1. In the Deep Security Web console, click the Administration tab.

  2. In the left panel, click System Settings and then click the Event Forwarding tab.                                        

3. Under SIEM tab, select the Forward System Events to a remote computer (via Syslog) using configuration.

4. Enter the Name for the Syslog configuration

5. Enter the hostname or the IP address of the LCP.

6. Enter the UDP port. The default value is 514.

7. Select the Syslog facility to use. Select any local facility number.

8. To verify, go to System Events and confirm that all event IDs are checked.                               

LCP Configuration Parameters

Table 1-2: The Trend Micro Deep Security event collector (Syslog-3756)properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Transport Protocol

UDP

Default protocol for syslog events.

IP Address

Trend Micro Deep Security IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team.

Signatures

Deep Security Agent,

Deep Security Manager

MDR recommended signatures processed by the Trend Micro Deep Security event collector.

Port

514

The default port for Syslog

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.