Deep Security : Sending events to vCenter Log Insight

I noticed a new version of Log Insight was released on twitter and it gave me the idea to see if it is possible to create some dashboards in Log Insight for Deep Security events. Deep Security have the option that either Agents can forward events to the syslog server or the DSM can collect the events on Agent collection interval and forward the events from the DSM server to the syslog server. In my lab I used the option for the agent to send the events directly to the syslog server(in my case I am using Log Insight, so referring to syslog server in the post but using Log Insight).

So first we have to configured the agent policy to send the events to the syslog server. This is done from the DSM console: Policies -> (Select Policy) -> Settings -> SIEM. Once here you can change to Forward Events to the syslog server.  Note that I am only doing Malware. You need to configure for each agent option separate. My settings below:

syslog01

U should also configured the DSM manager to forward events to the syslog server: Administration -> System Settings -> SIEM.

syslog02

Now lets look at Log Insight. The events that will come trough should look like this in the console under “Interactive Analytics” :

syslog03

As we can see from the log entry :

  • source is from Deep Security Manager
  • Event is: User signed in
  • User signed in from IP : 192.168.0.3 as user Admin
  • TrendDsTenant : Primary

Not lets build a dashboard that will show agents that have malware recorded in the last 5min (Sure you can use last 24 hours). In my lab I have my AD01-Server that I opened the EICAR Test virus file. Here we can see some of the events that were logged :

syslog04

As we can see the “Deep Security Agent” recorded the Eicar_test_file in real time. Based on this we can build a rule to search for all events that have “Deep Security Agent” + “Realtime”:

syslog05

From here we can save this query to the dashboard. Should look like this :

syslog06

Some other example that can be created :

  • Last 24 hours events for each tenant (We display the tenant name in the event log)
  • All DSM Events
  • All Agent Event
  • User Login events to DSM
  1. Great article!
    It would be great if Trend Micro creates a Content Pack for Log Insight.
    Those events could be then parse/search/correlate/you name it (big data hello) for better pro-active monitoring of the environment 🙂

  2. Hi Piro,

    Agree. I have emailed our PM on this and let see. I think we should see one soon.

    Hugo

Leave a Reply