Skip to main content

Trend Micro Deep Security

Trend Micro Deep Security is an endpoint protection tool that scans your assets and generates vulnerabilities against those assets. You can bring computers, computer groups, and intrusion prevention rules from Trend Micro Deep Security into the Brinqa Platform to construct a unified view of your attack, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Trend Micro Deep Security and how to obtain that information from Trend Micro. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Trend Micro Deep Security from the Connector drop-down. You must provide the following information to authenticate Trend Micro Deep Security with Brinqa:

  • Server URL: Your organization's Trend Micro Deep Security Server URL. The URL format is https://<ServerName>/.

  • API key: The API token associated with the Trend Micro Deep Security account, which must have permissions to log in to the API server and return data.

Obtain a Trend Micro Deep Security API key

For the Trend Micro Deep Security connector to retrieve data from the Trend Micro Deep Security API, you must provide an API key. To do so, follow these steps:

  1. Log in to your organization's Trend Micro Deep Security portal as an administrator.

  2. Navigate to Administration > API Keys.

  3. Click Add API Key.

    The Add API Key menu displays. Complete the following fields:

    • Name: Provide a name for the API key.
    • Role: Click the drop-down and select Auditor. This is the minimum role required to access the Trend Micro API and retrieve data.
    • Expiration Time: Click the drop-down and select the expiry date for the token.
    • Description: (Optional) Provide a description for the API key.
    • Status: Toggle the Status to enable the API key.

    Trend Micro API key

  4. Click Add.

    Your new API key displays. You can not view the key again after this. Copy and save it to a safe and secure location.

  5. (Optional) After you create the API key, you can restrict API access to specific IP addresses or IP ranges. Click the Name of the API key, and toggle Restrict API access to specified IP addresses.

    If you prefer to restrict access to specific IP addresses or ranges, please contact your Brinqa Support specialists so that they can assist you with the list of IP addresses or IP ranges for whitelisting.

note

If you do not have permissions to create an API token, contact your Trend Micro Deep Security administrator. For additional information, see Trend Micro documentation about Managing API keys and Defining roles for users.

Additional settings

The Trend Micro Deep Security connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The Trend Micro Deep Security connector can retrieve the following types of data from the Trend Micro Deep Security API:

Table 1: Data retrieved from Trend Micro Deep Security

Connector ObjectRequiredMaps to Data Model
ComputerYesHost
Computer GroupNoNot mapped
Computer Intrusion PreventionYesVulnerability
Intrusion PreventionYesVulnerability Definition
info

For detailed steps on how to view the data retrieved from Trend Micro Deep Security in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Computer

Table 2: Computer attribute mappings

Source Field NameMaps to Attribute
activityMonitoring.moduleStatus.agentStatusLocal variable
activityMonitoring.moduleStatus.agentStatusMessageLocal variable
activityMonitoring.moduleStatus.applianceStatusLocal variable
activityMonitoring.moduleStatus.applianceStatusMessageLocal variable
activityMonitoring.stateLocal variable
agentFingerPrintLocal variable
agentGUIDLocal variable
agentVersionLocal variable
antiMalware.lastManualScanLocal variable
antiMalware.lastScheduledScanLocal variable
antiMalware.manualScanConfigurationIDLocal variable
antiMalware.moduleStatus.agentStatusLocal variable
antiMalware.moduleStatus.agentStatusMessageLocal variable
antiMalware.moduleStatus.applianceStatusLocal variable
antiMalware.moduleStatus.applianceStatusMessageLocal variable
antiMalware.realTimeScanConfigurationIDLocal variable
antiMalware.realTimeScanScheduleIDLocal variable
antiMalware.scheduledScanConfigurationIDLocal variable
antiMalware.stateLocal variable
applianceFingerPrintLocal variable
applicationControl.blockUnrecognizedLocal variable
applicationControl.maintenanceModeDurationLocal variable
applicationControl.maintenanceModeEndTimeLocal variable
applicationControl.maintenanceModeStartTimeLocal variable
applicationControl.maintenanceModeStatusLocal variable
applicationControl.moduleStatus.agentStatusLocal variable
applicationControl.moduleStatus.agentStatusMessageLocal variable
applicationControl.moduleStatus.applianceStatusLocal variable
applicationControl.moduleStatus.applianceStatusMessageLocal variable
applicationControl.rulesetIDLocal variable
applicationControl.stateLocal variable
applicationControl.trustRulesetIDLocal variable
azureARMVirtualMachineSummary.cloudProvidercloud provider
azureARMVirtualMachineSummary.cloudServiceLocal variable
azureARMVirtualMachineSummary.DNSNamednsCalculation
azureARMVirtualMachineSummary.deploymentIDLocal variable
azureARMVirtualMachineSummary.deploymentModelLocal variable
azureARMVirtualMachineSummary.imageIDimageId
azureARMVirtualMachineSummary.locationlocation
azureARMVirtualMachineSummary.metadataLocal variable
azureARMVirtualMachineSummary.operatingSystemos
azureARMVirtualMachineSummary.privateIPAddressipCalculation
azureARMVirtualMachineSummary.publicIPAddressipCalculation
azureARMVirtualMachineSummary.resourceGroupLocal variable
azureARMVirtualMachineSummary.securityGroupLocal variable
azureARMVirtualMachineSummary.stateLocal variable
azureARMVirtualMachineSummary.subscriptionIDLocal variable
azureARMVirtualMachineSummary.typeLocal variable
azureVMVirtualMachineSummary.DNSNamednsNames
azureVMVirtualMachineSummary.cloudProviderLocal variable
azureVMVirtualMachineSummary.cloudServiceservice
azureVMVirtualMachineSummary.deploymentIDLocal variable
azureVMVirtualMachineSummary.imageIDimageId
azureVMVirtualMachineSummary.instanceIDinstanceId
azureVMVirtualMachineSummary.locationlocation
azureVMVirtualMachineSummary.metadataLocal variable
azureVMVirtualMachineSummary.operatingSystemos
azureVMVirtualMachineSummary.privateIPAddressprivateIpAddress
azureVMVirtualMachineSummary.publicIPAddresspublicIpAddress
azureVMVirtualMachineSummary.stateLocal variable
azureVMVirtualMachineSummary.subscriptionIDLocal variable
azureVMVirtualMachineSummary.typeLocal variable
biosUUIDLocal variable
computerSettingsLocal variable
computerStatus.agentStatusLocal variable
computerStatus.agentStatusMessagesLocal variable
computerStatus.applianceStatusLocal variable
computerStatus.applianceStatusMessagesLocal variable
descriptionLocal variable
deviceControl.moduleStatus.agentStatusLocal variable
deviceControl.moduleStatus.agentStatusMessageLocal variable
deviceControl.moduleStatus.applianceStatusLocal variable
deviceControl.moduleStatus.applianceStatusMessageLocal variable
deviceControl.stateLocal variable
displayNamename
ec2VirtualMachineSummary.DNSNameLocal variable
ec2VirtualMachineSummary.accountIDcloudAccountId
ec2VirtualMachineSummary.amiIDLocal variable
ec2VirtualMachineSummary.availabilityZoneLocal variable
ec2VirtualMachineSummary.cloudProvidercloudProviderId
ec2VirtualMachineSummary.instanceIDinstanceId
ec2VirtualMachineSummary.metadataLocal variable
ec2VirtualMachineSummary.operatingSystemos
ec2VirtualMachineSummary.privateIPAddressprivateIpAddress
ec2VirtualMachineSummary.publicIPAddresspublicOpAddress
ec2VirtualMachineSummary.securityGroupsLocal variable
ec2VirtualMachineSummary.stateLocal variable
ec2VirtualMachineSummary.typeLocal variable
ec2VirtualMachineSummary.virtualizationTypeLocal variable
gcpVirtualMachineSummary.DNSNameLocal variable
gcpVirtualMachineSummary.cloudProviderLocal variable
gcpVirtualMachineSummary.instanceIDLocal variable
gcpVirtualMachineSummary.labelsLocal variable
gcpVirtualMachineSummary.memoryLocal variable
gcpVirtualMachineSummary.metadataLocal variable
gcpVirtualMachineSummary.networkTagsLocal variable
gcpVirtualMachineSummary.operatingSystemLocal variable
gcpVirtualMachineSummary.privateIPAddressLocal variable
gcpVirtualMachineSummary.projectIDLocal variable
gcpVirtualMachineSummary.publicIPAddressLocal variable
gcpVirtualMachineSummary.stateLocal variable
gcpVirtualMachineSummary.vCPUsLocal variable
gcpVirtualMachineSummary.zoneLocal variable
groupIDLocal variable
hostGUIDLocal variable
hostNamehostname
iduid
integrityMonitoring.lastBaselineCreatedLocal variable
integrityMonitoring.lastIntegrityScanLocal variable
integrityMonitoring.moduleStatus.agentStatusLocal variable
integrityMonitoring.moduleStatus.agentStatusMessageLocal variable
integrityMonitoring.moduleStatus.applianceStatusLocal variable
integrityMonitoring.moduleStatus.applianceStatusMessageLocal variable
integrityMonitoring.ruleIDsLocal variable
integrityMonitoring.stateLocal variable
interfacesLocal variable
intrusionPrevention.applicationTypeIDsLocal variable
intrusionPrevention.moduleStatus.agentStatusLocal variable
intrusionPrevention.moduleStatus.agentStatusMessageLocal variable
intrusionPrevention.moduleStatus.applianceStatusLocal variable
intrusionPrevention.moduleStatus.applianceStatusMessageLocal variable
intrusionPrevention.ruleIDsLocal variable
intrusionPrevention.stateLocal variable
lastAgentCommunicationLocal variable
lastApplianceCommunicationLocal variable
lastIPUsedipAddresses,publicIpAddress,privateIpAddress
lastSendPolicyRequestLocal variable
lastSendPolicySuccessLocal variable
logInspection.moduleStatus.agentStatusLocal variable
logInspection.moduleStatus.agentStatusMessageLocal variable
logInspection.moduleStatus.applianceStatusLocal variable
logInspection.moduleStatus.applianceStatusMessageLocal variable
logInspection.ruleIDsLocal variable
logInspection.stateLocal variable
machine_domain.webReputationServiceLocal variable
major_version.manifestsLocal variable
minor_version.otherLocal variable
noConnectorVirtualMachineSummary.accountIDLocal variable
noConnectorVirtualMachineSummary.directoryIDLocal variable
noConnectorVirtualMachineSummary.instanceIDLocal variable
noConnectorVirtualMachineSummary.regionLocal variable
noConnectorVirtualMachineSummary.userNameLocal variable
policyIDLocal variable
relayListIDLocal variable
SAP.moduleStatus.agentStatusLocal variable
SAP.moduleStatus.agentStatusMessageLocal variable
SAP.moduleStatus.applianceStatusLocal variable
SAP.moduleStatus.applianceStatusMessageLocal variable
SAP.stateLocal variable
securityUpdates.antiMalwareLocal variable
securityUpdates.lastChangedLocal variable
securityUpdates.rulesLocal variable
securityUpdates.updateStatus.statusLocal variable
securityUpdates.updateStatus.statusMessageLocal variable
tasks.agentTasksLocal variable
tasks.applianceTasksLocal variable
vcloudVMVirtualMachineSummary.DNSNameLocal variable
vcloudVMVirtualMachineSummary.IPAddressLocal variable
vcloudVMVirtualMachineSummary.cloudProviderLocal variable
vcloudVMVirtualMachineSummary.instanceIDLocal variable
vcloudVMVirtualMachineSummary.operatingSystemLocal variable
vcloudVMVirtualMachineSummary.stateLocal variable
vcloudVMVirtualMachineSummary.typeLocal variable
vmwareVMVirtualMachineSummary.CPULocal variable
vmwareVMVirtualMachineSummary.DNSNameLocal variable
vmwareVMVirtualMachineSummary.IPAddressLocal variable
vmwareVMVirtualMachineSummary.NSXSecurityGroupsLocal variable
vmwareVMVirtualMachineSummary.biosUUIDLocal variable
vmwareVMVirtualMachineSummary.memoryLocal variable
vmwareVMVirtualMachineSummary.notesLocal variable
vmwareVMVirtualMachineSummary.operatingSystemLocal variable
vmwareVMVirtualMachineSummary.stateLocal variable
vmwareVMVirtualMachineSummary.vCenterUUIDLocal variable
vmwareVMVirtualMachineSummary.vmwareToolsLocal variable
webReputation.moduleStatus.agentStatusLocal variable
webReputation.moduleStatus.agentStatusMessageLocal variable
webReputation.moduleStatus.applianceStatusLocal variable
webReputation.moduleStatus.applianceStatusMessageLocal variable
webReputation.stateLocal variable
workspaceVirtualMachineSummary.IPAddressLocal variable
workspaceVirtualMachineSummary.accountIDLocal variable
workspaceVirtualMachineSummary.bundleIDLocal variable
workspaceVirtualMachineSummary.cloudProviderLocal variable
workspaceVirtualMachineSummary.metadataLocal variable
workspaceVirtualMachineSummary.stateLocal variable
workspaceVirtualMachineSummary.userNameLocal variable
workspaceVirtualMachineSummary.workspaceDirectoryLocal variable
workspaceVirtualMachineSummary.workspaceHardwareLocal variable
workspaceVirtualMachineSummary.workspaceIDLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Computer Intrusion Prevention

Table 3: Computer Intrusion Prevention attribute mappings

Source Field NameMaps to Attribute
alertEnabledLocal variable
alwaysIncludePacketDataLocal variable
applicationTypeIdLocal variable
computerIdtarget
CVEtype
CVSSScoreLocal variable
debugModeEnabledLocal variable
descriptiondescription
detectOnlyLocal variable
eventLoggingDisabledLocal variable
generateEventOnPacketDropLocal variable
IDuid
identifierLocal variable
lastUpdatedsourceLastModified
namename
originalIssueLocal variable
priorityLocal variable
recommendationsModeLocal variable
severityseverity,sourceSeverity,score
typeLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Intrusion Prevention

Table 4: Intrusion Prevention attribute mappings

Source Field NameMaps to Attribute
actionLocal variable
alertEnabledLocal variable
alwaysIncludePacketDataLocal variable
applicationTypeIDLocal variable
canBeAssignedAloneLocal variable
caseSensitiveLocal variable
conditionLocal variable
contextIDLocal variable
customXMLLocal variable
CVEcveRecords,cveIds
CVSSScorebaseCvssScore
debugModeEnabledLocal variable
dependsOnRuleIDsLocal variable
descriptiondescription
detectOnlyLocal variable
endLocal variable
eventLoggingDisabledLocal variable
generateEventOnPacketDropLocal variable
identifierLocal variable
IDuid
lastUpdatedsourceLastModified
minimumAgentVersionLocal variable
namename
originalIssuesourceCreatedDate
patternsLocal variable
priorityLocal variable
recommendationsModeLocal variable
ruleAvailabilityLocal variable
scheduleIDLocal variable
severityseverity(normalize),sourceSeverity,severityScore
signatureLocal variable
startLocal variable
templateLocal variable
typecategory
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Operation options

The Trend Micro Deep Security connector supports the following operation options. See connector operation options for information about how to apply them.

Table 5: Trend Micro Deep Security connector operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
ComputeragentVersionAny Deep Security agent version.A comma-separated list of Deep Security agent versions. Limit the results by the specified agent versions.Key: agentVersion Value: 20.0.1.7380. This key and value combination only retrieves computers with the specified Deep Security agent version installed on them.
hostNameAny computer host name.A comma-separated list of computer host names. Limit the results by the specified host names.Key: hostName Value: WIN-2JP60FAEG19,WIN-6PF0GJE2A91. This key and value combination only retrieves computers with the specified host names.
Intrusion Preventionseveritylow, medium, high, criticalA comma-separated list of severity levels. Limit the results by the specified severity levels.Key: severity Value: high,critical. This key and value combination only retrieve high and critical vulnerabilities.
note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The Trend Micro Deep Security connector uses the Trend Micro Deep Security REST API. Specifically, it uses the following endpoints:

Table 6: Trend Micro Deep Security REST API Endpoints

Connector ObjectAPI Endpoint
ComputerPOST /api/computers/search
Computer GroupPOST /api/computergroups/search
Computer Intrusion PreventionPOST /api/computers/search
GET /api/computers/{computerID}/intrusionprevention/rules
Intrusion PreventionPOST /api/intrusionpreventionrules/search

Changelog

The Trend Micro Deep Security connector has undergone the following changes:

3.0.0

Last updated on