Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Trend Micro Deep Security

integrations network deep security trend micro

The following instructions are for configuring Trend Micro Deep Security to facilitate log ingestion into Taegis™ XDR.

Taegis™ XDR normalizes the following Deep Security event types:

Connectivity Requirements

Source Destination Port/Protocol
Trend Micro Deep Security Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Trend Micro Deep Security V           Y D   D Y    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Deep Security Platform

Follow the instructions in Trend Micro Deep Security documentation to configure log forwarding.

When defining a Syslog configuration, enter the following information:

Field Required Value
Server Name Taegis™ XDR Collector (mgmt IP)
Server Port 514
Transport UDP
Event Format CEF
Include time zone in events Selected

Example Query Language Searches

To search for nids events from the last 24 hours:


To search for http events:


To search for antivirus events associated with a specific user:

FROM antivirus WHERE sensor_type='TREND_MICRO_DEEP_SECURITY' AND user_name = 'foo'

Sample logs


CEF:0|Trend Micro|Deep Security Agent|10.2.229|4000000|Eicar_test_file|6|cn1=1 cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\\Users\\trend\\Desktop\\eicar.exe act=Delete result=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM

Application Control:

CEF: 0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202 cn1Label=Host ID dvc= TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5


CEF:0|Trend Micro|Deep Security Agent|10.2.229|20|Log for TCP Port 80|0|cn1=1 cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src= dst= out=1019 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 TrendMicroDsPacketData=AFB...

Integrity Monitoring:

CEF:0|Trend Micro|Deep Security Agent|10.2.229|30|New Integrity Monitoring Rule|6|cn1=1 cn1Label=Host ID dvchost=hostname act=updated filePath=c:\\windows\\message.dll suser=admin sproc=C:\\Windows\\System32\\notepad.exe msg=lastModified,sha1,size

Intrusion Prevention:

CEF:0|Trend Micro|Deep Security Agent|10.2.229|1001111|Test Intrusion Prevention Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src= dst= out=1093 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10 cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention Flags TrendMicroDsPacketData=R0VUIC9zP3...

Web Reputation:

CEF:0|Trend Micro|Deep Security Agent|10.2.229|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin


On this page: