Integrate Trend Micro InterScan Web Security...Integrate Trend Micro InterScan Web Se curity 1 About...

EventTracker 8815 Centre Park Drive

Columbia MD 21045 www.eventtracker.com

Publication Date: Mar. 23, 2016

Integrate Trend Micro InterScan Web Security

EventTracker Enterprise

http://www.eventtracker.com/�


1

About this Guide This guide will facilitate a Trend Micro InterScan Web Security Virtual Appliance user, to send logs to external syslog server.

Scope The configurations detailed in this guide are consistent with EventTracker Enterprise 7.x or later and Trend Micro InterScan Web Security Virtual Appliance 6.5. Audience Administrators who want to monitor Trend Micro InterScan Web Security Virtual Appliance using EventTracker Enterprise.

The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided.

Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2016 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


2

Table of Contents About this Guide .................................................................................................................................... 1

Scope .................................................................................................................................................. 1

Audience............................................................................................................................................. 1

Introduction ........................................................................................................................................... 3

Pre-requisites ........................................................................................................................................ 3

IWSVA syslog configuration .................................................................................................................. 3

EventTracker Knowledge Pack .............................................................................................................. 4

Categories .......................................................................................................................................... 4

Alerts .................................................................................................................................................. 5

Reports ............................................................................................................................................... 7

Import Trend Micro InterScan knowledge pack into EventTracker .................................................... 16

Import Category ............................................................................................................................... 17

Import Alerts .................................................................................................................................... 18

Import Tokens .................................................................................................................................. 19

Import Flex Reports ......................................................................................................................... 21

Import Knowledge Object ................................................................................................................ 22

Verify Trend Micro InterScan knowledge pack in EventTracker ......................................................... 23

Verify Trend Micro InterScan Categories ......................................................................................... 23

Verify Trend Micro InterScan Alerts ................................................................................................ 24

Verify Trend Micro InterScan Tokens .............................................................................................. 25

Verify Trend Micro InterScan Reports ............................................................................................. 26

Verify Knowledge Object .................................................................................................................. 27

Create Dashboards in EventTracker .................................................................................................... 28

Schedule Reports ............................................................................................................................. 28

Create Dashlets................................................................................................................................ 31

Sample Dashboards............................................................................................................................. 35


3

Introduction The InterScan Web Security Virtual Appliance (IWSVA) is a gateway solution, providing protection for web-based threats via HTTP and FTP. IWSVA defends against web threats with multi-layer, multi-threat protection at the internet gateway. It accomplishes this through content filtering for potentially dangerous websites and blocking content prohibited by the organization.

Pre-requisites • EventTracker 7.x or later should be installed. • User should have administrator privileges to IWSVA console.

IWSVA syslog configuration 1. Log in to the IWSVA console. 2. Click Logs >Log Settings > Syslog Server in the main menu. 3. Click Add. 4. Under Syslog Servers:

a) Select Enable checkbox to allow IWSVA to send logs to this syslog server. b) Specify the syslog server’s IP address. c) Select UDP from Protocol dropdown. d) Specify the Port Number as 514.

5. Under Syslog Settings: a) Select local3 from Syslog facility dropdown to forward logs using selected priority level. b) Under Save following logs, select checkboxes for required log types as shown below to

forward selected event categories. 6. Click Save.


4

Figure 1

NOTE: Enable Debug logs judiciously, as it might result into high log volume.

EventTracker Knowledge Pack Once Trend Micro InterScan events are enabled and Trend Micro InterScan events are received in EventTracker, Alerts and Reports can be configured in EventTracker.

The following Knowledge Packs are available in EventTracker to support Trend Micro InterScan monitoring.

Categories • Trend Micro InterScan: Trusted URL added: This category based report provides

information related to Trusted URL added from Trend Micro InterScan.


5

• Trend Micro InterScan: Trusted URL added to exception: This category based report provides information related to Trusted URL added to exception from Trend Micro InterScan.

• Trend Micro InterScan: User logon success: This category based report provides information related to User logon success from Trend Micro InterScan.

• Trend Micro InterScan: HTTP inspection policy added: This category based report provides information related to HTTP inspection policy added from Trend Micro InterScan.

• Trend Micro InterScan: HTTP DLP policy added: This category based report provides information related to HTTP DLP policy added from Trend Micro InterScan.

• Trend Micro InterScan: URL filter policy added: This category based report provides information related to URL filter policy added from Trend Micro InterScan.

• Trend Micro InterScan: Digital certificates management: This category based report provides information related to Digital certificates management from Trend Micro InterScan.

• Trend Micro InterScan: FTP DLP global policy changes: This category based report provides information related to FTP DLP global policy change from Trend Micro InterScan.

• Trend Micro InterScan: HTTP CPU utilization: This Category based report provides information related to HTTP CPU utilization in Trend Micro InterScan.

• Trend Micro InterScan: Delete policies: This Category based report provides information related to delete policies in Trend Micro InterScan.

• Trend Micro InterScan: Policy management: This Category based report provides information related to Policy management in Trend Micro InterScan.

Alerts • Trend Micro InterScan- Policies added: This alert is generated when any sort of policies

have been added from Trend Micro InterScan.

Logs considered

Mar 07 12:07:00 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:08:29,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:08:29 GMT+05:30 2016;tk_description=Add new Application Control policy: Block Tom


6

Mar 07 12:16:30 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:17:59,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:17:59 GMT+05:30 2016;tk_description=Add Https Decryption policy: Block bing.com

Mar 07 12:23:20 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:24:50,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:24:50 GMT+05:30 2016;tk_description=Exception to tunnel list now contains: www.bing.com*

Mar 07 14:45:01 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 14:46:32,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 14:46:32 GMT+05:30 2016;tk_description=Add HTTP scan policy: virus detected:awe$mf.dfl

Mar 07 14:51:22 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 14:52:53,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 14:52:53 GMT+05:30 2016;tk_description=Add HTTP Inspection policy: allow Bender

Mar 07 15:23:32 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:25:03,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:25:03 GMT+05:30 2016;tk_description=Add HTTP DLP policy: DATA LOSS PREVENTION

Mar 07 15:31:29 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:32:59,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:32:59 GMT+05:30 2016;tk_description=Add JAVA scan policy: APPLETS AND ACTIVEX

Mar 07 15:43:48 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:45:19,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:45:19 GMT+05:30 2016;tk_description=Add URL filtering policy: Block Tom

Mar 07 15:51:35 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:53:06,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:53:06 GMT+05:30 2016;tk_description=Add Access Quota policy: Unlimited Access

Mar 07 17:19:48 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 17:21:16,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 17:21:16 GMT+05:30 2016;tk_description=changed FTP DLP Scan Global Policy rule: DLP rule changed

• Trend Micro InterScan- Policies deleted: This alert is generated when any sort of policies have been deleted from Trend Micro InterScan.

Logs considered


7

Mar 07 12:11:18 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:12:47,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:12:47 GMT+05:30 2016;tk_description=Delete policy: Block Tom Account: 192.168.1.138

Mar 07 12:19:38 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:21:07,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:21:07 GMT+05:30 2016;tk_description=Delete policy: Block bing.com Account: 192.168.1.118

Mar 07 15:27:38 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:29:09,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:29:09 GMT+05:30 2016;tk_description=Delete policy: DATA LOSS PREVENTION Account: 192.168.1.118

Mar 07 15:35:33 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:37:04,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:37:04 GMT+05:30 2016;tk_description=Delete policy: APPLETS AND ACTIVEX Account: 192.168.1.131


Mar 07 17:09:28 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 17:10:57,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 17:10:57 GMT+05:30 2016;tk_description=blacklistremove certificate: AffirmTrust Premium ECC

Reports • Trend Micro InterScan- Trusted URL added: This report provides information related to

trusted URL added which include User Name, Trusted URL List from fields.

Logs considered


8

Sample Report

Figure 2

• Trend Micro InterScan- Trusted URL added to exception: This report provides information related to trusted URL added to exception which includes User Name, Exception Trust List from fields.

Logs considered


9

Sample Report

Figure 3

• Trend Micro InterScan- User logon success: This report provides information related to

trusted URL added which include User Name from fields.

Logs considered

Sample Report

Figure 4


10

• Trend Micro InterScan- HTTP inspection policy added: This report provides information related to HTTP inspection policy added which include User Name, HTTP Inspection Policy added from fields.

Logs considered

Sample Report

Figure 5

• Trend Micro InterScan- HTTP DLP policy added: This report provides information related to HTTP DLP policy added which include User Name, HTTP DLP Policy from fields.

Logs considered

Sample Report

Figure 6

• Trend Micro InterScan- URL filter policy added: This report provides information related to

URL filtering policy which includes User Name, URL Filter Policy from fields.

Logs considered


11

Sample Report

Figure 7

• Trend Micro InterScan- Digital certificates management: This report provides information

related to digital certificate management which include User Name, Digital Certificate Management from fields.

Logs considered


12

Sample Report

Figure 8

• Trend Micro InterScan- FTP DLP global policy changes: This report provides information

related to FTP DLP global policy change which include User Name, Message from fields.

Logs considered

Sample Report

Figure 9

• Trend micro InterScan- HTTP CPU utilization: This report provides information related to

HTTP CPU utilization which includes Metric Value from fields.

Logs considered


13

Sample Report

Figure 10

• Trend Micro InterScan: Delete policies: This report provides information related to deleted

policies which include User Name, Policy Name from the fields. Logs Considered:


Mar 07 12:19:38 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:21:07,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:21:07 GMT+05:30 2016;tk_description=Delete policy: Block bing.com Account: 192.168.1.118

Mar 07 15:27:38 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:29:09,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar07

15:29:09 GMT+05:30 2016;tk_description=Delete policy: DATA LOSS PREVENTION Account: 192.168.1.118


14

Mar 07 15:35:33 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:37:04,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:37:04 GMT+05:30 2016;tk_description=Delete policy: APPLETS AND ACTIVEX Account: 192.168.1.131


Mar 07 17:09:28 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 17:10:57,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 17:10:57 GMT+05:30 2016;tk_description=blacklistremove certificate: AffirmTrust Premium ECC

Sample Report

Figure 11

• Trend Micro InterScan: Policy management: This report provides information related to

policy management which includes User Name, Policy Name from the fields.

Mar 07 12:07:00 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:08:29,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:08:29 GMT+05:30 2016;tk_description=Add new Application Control policy: Block Tom


15

Mar 07 12:16:30 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:17:59,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:17:59 GMT+05:30 2016;tk_description=Add Https Decryption policy: Block bing.com

Mar 07 12:23:20 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 12:24:50,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 12:24:50 GMT+05:30 2016;tk_description=Exception to tunnel list now contains: www.bing.com*

Mar 07 14:45:01 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 14:46:32,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 14:46:32 GMT+05:30 2016;tk_description=Add HTTP scan policy: virus detected:awe$mf.dfl

Mar 07 14:51:22 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 14:52:53,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 14:52:53 GMT+05:30 2016;tk_description=Add HTTP Inspection policy: allow Bender

Mar 07 15:23:32 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:25:03,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:25:03 GMT+05:30 2016;tk_description=Add HTTP DLP policy: DATA LOSS PREVENTION

Mar 07 15:31:29 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:32:59,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:32:59 GMT+05:30 2016;tk_description=Add JAVA scan policy: APPLETS AND ACTIVEX

Mar 07 15:43:48 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:45:19,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:45:19 GMT+05:30 2016;tk_description=Add URL filtering policy: Block Tom

Mar 07 15:51:35 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 15:53:06,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 15:53:06 GMT+05:30 2016;tk_description=Add Access Quota policy: Unlimited Access

Mar 07 17:19:48 192.168.1.202 trend-micro: <Mon, 07 Mar 2016 17:21:16,IST> [EVT_AUDITING|LOG_WARNING] Auditing log tk_user=admin;tk_date_field=Mon Mar 07 17:21:16 GMT+05:30 2016;tk_description=changed FTP DLP Scan Global Policy rule: DLP rule changed


16

Sample Report

Figure 12

Import Trend Micro InterScan knowledge pack into EventTracker

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility, and then click Import tab.

Import Category/Alert/Tokens/ Flex Reports as given below.


17

Import Category

1. Click Category option, and then click the browse button.

Figure 13

2. Locate All Trend Micro InterScan group of Categories.iscat file, and then click the Open

button.

3. To import categories, click the Import button.

EventTracker displays success message.


18

Figure 14

4. Click OK, and then click the Close button.

Import Alerts 1. Click Alerts option, and then click the browse button.

Figure 15


19

2. Locate All TREND MICRO INTERSCAN group of Alerts.isalt file, and then click the Open button.

3. To import alerts, click the Import button.


Figure 16


Import Tokens

1. Click Token value option, and then click the browse button.


20

Figure 17

2. Locate Trend Micro InterScan tokens.istoken file, and then click the Open button. 3. To import tokens, click the Import button.


Figure 18



21

Import Flex Reports

1. Click Report option, and then click the browse button.

Figure 19

2. Locate Trend Micro InterScan Flex Report.issch file, and then click the Open button.

3. To import scheduled reports, click the Import button.


Figure 20


22


Import Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects. 2. Click on ‘Import’ option.

Figure 21

3. In IMPORT pane click on Browse button.

Figure 22

4. Locate Trend Micro InterScan.etko file, and then click the UPLOAD button.


23

Figure 23

5. Now select the check box and then click on ‘OVERWRITE’ option.


Figure 24

6. Click on OK button.

Verify Trend Micro InterScan knowledge pack in EventTracker Verify Trend Micro InterScan Categories

1. Logon to EventTracker Enterprise.


24

2. Click the Admin menu, and then click Categories.

3. In Category Tree to view imported categories, scroll down and expand Trend Micro InterScan group folder to view the imported categories.

Figure 25

Verify Trend Micro InterScan Alerts 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Alerts.

3. In Search field, type ‘Trend Micro', and then click the Go button.

Alert Management page will display all the imported Trend Micro InterScan alerts.


25

Figure 26

4. To activate the imported alerts, select the respective checkbox in the Active column.

EventTracker displays message box.

Figure 27

5. Click OK, and then click the Activate Now button.

NOTE:

You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button.

Verify Trend Micro InterScan Tokens 1. Logon to EventTracker Enterprise.


26

2. Click the Admin menu, and then click Parsing Rules.

The imported Trend Micro InterScan tokens are added in Token-Value Groups list. Please refer Figure 24.

Figure 28

Verify Trend Micro InterScan Reports 1. Logon to EventTracker Enterprise.

2. Click the Reports menu, and then select Configuration.

3. In Reports Configuration pane, select Defined option.

EventTracker displays Defined page.

4. In search box enter ‘Trend Micro InterScan’, and then click the Search button.


27

EventTracker displays Flex reports of Trend Micro.

Figure 29

Verify Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects 2. Scroll down and select Trend Micro InterScan in Objects pane. Imported Trend Micro

InterScan object details are shown.


28

Figure 30

Create Dashboards in EventTracker Schedule Reports

1. Open EventTracker in browser and logon.

Figure 31

2. Navigate to Reports>Configuration.


29

Figure 32

1. Select Trend Micro InterScan in report groups. Check defined dialog box.

2. Click on ‘schedule’ to plan a report for later execution.


30

Figure 33

3. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box.


31

Figure 34

4. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period.

5. Proceed to next step and click Schedule button.

6. Wait for scheduled time or generate report manually.

Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon.


32

Figure 35

3. Navigate to Dashboard>Flex.

Flex Dashboard pane is shown.

Figure 36

4. Fill fitting title and description and click Save button.


33

5. Click to configure a new flex dashlet. Widget configuration pane is shown.

Figure 37

7. Locate earlier scheduled report in Data Source dropdown. 8. Select Chart Type from dropdown. 9. Select extent of data to be displayed in Duration dropdown. 10. Select computation type in Value Field Setting dropdown. 11. Select evaluation duration in As Of dropdown. 12. Select comparable values in X Axis with suitable label. 13. Select numeric values in Y Axis with suitable label. 14. Select comparable sequence in Legend. 15. Click Test button to evaluate. Evaluated chart is shown.


34

Figure 38

16. If satisfied, Click Configure button.

Figure 39

17. Click ‘customize’ to locate and choose created dashlet.

18. Click to add dashlet to earlier created dashboard.


35

Sample Dashboards 1. Trend Micro InterScan- Digital certificate management.

Figure 40

Date post:	05-Jul-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Integrate Trend Micro InterScan Web Security...Integrate Trend Micro InterScan Web Se curity 1 About...

Documents