Trend Micro Apex One
A Trend Micro Apex One DSM for JSA accepts events by using SNMPv2.
Trend Micro Apex One is formerly known as Trend Micro OfficeScan. The name remains the same in JSA.
JSA records events relevant to virus and spyware events. Before you configure a Trend Micro device in JSA, you must configure your device to forward SNMPv2 events.
JSA has two options for integrating with a Trend Micro device. The integration option that you choose depends on your device version:
Integrating with Trend Micro Apex One 8.x
You can integrate a Trend Micro Apex One 8.x device with JSA.
-
Log in to the Apex One Administration interface.
-
Select Notifications.
-
Configure the General Settings for SNMP Traps: In the Server IP Address field, type the IP address of the JSA.
Note:Do not change the community trap information.
-
Click Save.
-
Configure the Standard Alert Notification: Select Standard Notifications.
-
Click the SNMP Trap tab.
-
Select the Enable notification via SNMP Trap for Virus/Malware Detections check box.
-
Type the following message in the field (this should be the default):
Virus/Malware: %v Computer: %s Domain: %m File: %p Date/Time: %y Result: %a
-
Select the Enable notification via SNMP Trap for Spyware/Grayware Detections check box.
-
Type the following message in the field (this should be the default):
Spyware/Grayware: %v Computer: %s Domain: %m Date/Time: %y Result: %a
-
Click Save.
-
Configure Outbreak Alert Notifications: Select Out Notifications.
-
Click the SNMP Trap tab.
-
Select the Enable notification via SNMP Trap for Virus/Malware Outbreaks check box.
-
Type the following message in the field (this should be the default):
Number of viruses/malware: %CV Number of computers: %CC Log Type Exceeded: %A Number of firewall violation logs: %C Number of shared folder sessions: %S Time Period: %T
-
Select the Enable notification via SNMP Trap for Spyware/Grayware Outbreaks check box.
-
Type the following message in the field (this should be the default):
Number of spyware/grayware: %CV Number of computers: %CC Log Type Exceeded: %A Number of firewall violation logs: %C Number of shared folder sessions: %S Time Period: %T
-
Click Save.
Integrating with Trend Micro Apex One 10.x
Several preparatory steps are necessary before you configure JSA to integrate with a Trend Micro Apex One 10.x device.
You must:
-
Configure the SNMP settings for Trend Micro Apex One 10.x.
-
Configure standard notifications.
-
Configure outbreak criteria and alert notifications.
Configuring General Settings in Trend Micro Apex One
You can integrate a Trend Micro Apex One 10.x device with JSA.
-
Log in to the Apex One Administration interface.
-
Select Notifications >Administrator Notifications >General Settings.
-
Configure the General Settings for SNMP Traps: In the Server IP Address field, type the IP address of your JSA.
-
Type a community name for your Trend Micro Apex One device.
-
Click Save.
You must now configure the Standard Notifications for Apex One.
Configure Standard Notifications in Trend Micro Apex One
You can configure standard notifications.
-
Select Notifications >Administrator Notifications >Standard Notifications.
-
Define the Criteria settings. Click the Criteria tab.
-
Select the option to alert administrators on the detection of virus/malware and spyware/grayware, or when the action on these security risks is unsuccessful.
-
To enable notifications: Configure the SNMP Trap tab.
-
Select the Enable notification via SNMP Trap check box.
-
Type the following message in the field:
Virus/Malware: %v Spyware/Grayware: %T Computer: %s IP address: %i Domain: %m File: %p Date/Time: %y Result: %a User name: %n
-
Click Save.
You must now configure Outbreak Notifications.
Configuring Outbreak Criteria and Alert Notifications in Trend Micro Apex One
You can configure outbreak criteria and alert notifications for your Trend Micro Apex One device.
-
Select Notifications >Administrator Notifications >Outbreak Notifications.
-
Click the Criteria tab.
-
Type the number of detections and detection period for each security risk.
Notification messages are sent to an administrator when the criteria exceeds the specified detection limit.
Note:Trend Micro suggests that you use the default values for the detection number and detection period.
-
Select Shared Folder Session Link and enable Apex One to monitor for firewall violations and shared folder sessions.
Note:To view computers on the network with shared folders or computers currently browsing shared folders, you can select the number link in the interface.
-
Click the SNMP Trap tab.
-
Select the Enable notification via SNMP Trap check box.
-
-
Type the following message in the field:
Number of viruses/malware: %CV Number of computers: %CC Log Type Exceeded: %A Number of firewall violation logs: %C Number of shared folder sessions: %S Time Period: %T
-
Click Save.
-
You are now ready to configure the log source in JSA.
To configure the Trend Micro Office Scan device:
-
From the Log Source Type list, select the Trend Micro Office Scan option.
-
From the Protocol Configuration list, select the SNMPv2 option.
-
Integrating with Trend Micro Apex One XG
You can integrate a Trend Micro Apex One XG device with the JSA system.
Before you can integrate a Trend Micro Apex One XG device with the JSA system you must configure the following items:
-
SNMP settings for Trend Micro Apex One XG
-
Administrator notifications
-
Outbreak notifications
- Configuring General Settings in in Trend Micro Apex One XG
- Configuring Administrator Notifications in Trend Micro Apex One XG
- Configuring Outbreak Notifications in Trend Micro Apex One XG
Configuring General Settings in in Trend Micro Apex One XG
You can integrate a Trend Micro Apex One XG device with JSA.
-
Log in to the Apex One Administration interface.
-
Click Administration >Notifications >General Settings.
-
Configure the General Notification Settings for SNMP Traps.
-
In the Server IP Address field, type the IP address of the JSA console.
-
Type a community name for your Trend Micro Apex One device.
-
Click Save.
You must now configure the Administrator Notifications for Apex One.
Configuring Administrator Notifications in Trend Micro Apex One XG
Administrators can be notified when certain security risks are detected by Trend Micro Apex One XG. Configure the device to send notifications through SNMP Trap.
-
Click Administration >Notifications >Administrator.
-
Click the Criteria tab.
-
Select the following options for notification:
-
Virus/Malware Detection
-
Spyware/Grayware Detection
-
C&C Callbacks
-
-
To enable notifications, configure the SNMP Trap tab.
-
Select the Enable notification via SNMP Trap check box.
-
Type the following message in the field:
Virus/Malware: %v Spyware/Grayware: %T Computer: %s IP address: %i Domain: %m File: %p Date/Time: %y Result: %a User name: %n
Spyware/Grayware: %v Endpoint: %s Domain: %m Date/Time: %y Result: %a
Compromised Host: %CLIENTCOMPUTER% IP Address: %IP% Domain: %DOMAIN% Date/Time: %DATETIME% Callback address: %CALLBACKADDRESS% C&C risk level: %CNCRISKLEVEL% C&C list source: %CNCLISTSOURCE% Action: %ACTION%
-
Click Save.
You must now configure Outbreak Notifications.
Configuring Outbreak Notifications in Trend Micro Apex One XG
You can configure your Trend Micro Apex One XG device to notify you of security risk outbreaks. Define an outbreak by the number of detections and the detection period.
-
Click Administration >Notifications >Outbreak.
-
Click the Criteria tab.
-
Type the number of detections and detection period for each security risk.
Note:Notification messages are sent to an administrator when the criteria exceeds the specified detection limit.
Tip:Trend Micro suggests that you use the default values for the detection number and detection period.
-
To enable notifications, click the SNMP Trap tab, and select the Enable notification via SNMP Trap check box.
-
Type the following message in the field:
Number of virus/malware: %CV Number of computers: %CC
Number of spyware/grayware: %CV Number of endpoints: %CC
C&C callback detected: Accumulated log count: %C in the last %T hour(s)
-
Click Save.
Changing the Date Format in JSA to Match the Date Format for your Trend Micro Apex One Device
If your Trend Micro Apex One device uses the dd/MM/yyyy date format, you can enable this date format in JSA by using the DSM Editor.
By default, the Trend Micro Apex One DSM uses the dd/MM/yyyy date format.
-
On the Admin tab, in the Data Sources section, click DSM Editor.
-
From the Select Log Source Type window, select Trend Micro Office Scan from the log source type list.
-
Click the Configuration tab, and then set Display DSM Parameters Configuration to on.
-
From the Event Collector list, select the event collector for the log source.
-
Set Use dd/MM/yyyy date format to on.
-
Click Save.
Changing the Date Format in JSA 7.3 to Match the Date Format for your Trend Micro Apex One Device
If your Trend Micro Apex One device uses the dd/MM/yyyy date format, you can enable this date format in JSA 7.3 by using the command line.
By default, the Trend Micro Apex One DSM uses the dd/MM/yyyy date format.
-
Using SSH, log in to your JSA Console as the root user.
-
To create a new properties file or to edit an existing properties file, type the following command:
vi /opt/qradar/conf/Officescan.properties
-
To enable the dd/MM/yyyy date format, add the following line in the text file:
useDDMMYYYYDateFormat=true
-
To disable the dd/MM/yyyy date format, add the following line in the text file:
useDDMMYYYYDateFormat=false
-
Save your changes and then exit the terminal.
-
Restart the event collection service. For more information, see Restarting the event collection service.
Configure a log source in JSA by using the SNMPv2 protocol. For more information, see SNMPv2 Log Source Parameters for Trend Micro Apex One.
SNMPv2 Log Source Parameters for Trend Micro Apex One
If JSA does not automatically detect the log source, add a Trend Micro Apex One log source on the JSA Console by using the SNMPv2 protocol.
When using the SNMPv2 protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect SNMPv2 events from Trend Micro Apex One:
Parameter |
Value |
---|---|
Log Source Type |
Trend Micro Office Scan |
Log Source Description |
A description for the log source. |
Protocol Configuration |
SNMPv2 |
Log Source Identifier |
The IP address or host name for the log source can be used as an identifier for events from your Trend Micro Apex One appliance. |
Community |
The SNMP community name that is required to access the system that contains SNMP events. The default is Public. |
Include OIDs in Event Payload |
If selected, clear the Include OIDs in Event Payload check box. This option allows the SNMP event payload to be constructed by using name-value pairs instead of the standard event payload format. Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events from certain DSMs. |