Wazuh integration with TrendMicro Apex1

[Abhijit Sarwade]

Hi Wazhu Team,

Can you assist with integration step for Wazuh with TrendMicro Apex 1. weh ave configured rsyslog and forwarded Trendmicro log to rsyslog which we can see but not able to see the events in Wazhu Manager. 

Regards,

Abhi

[Francisco Tuduri]

Hello Abhi!

If I understand correctly, you have configured Remote syslog but you are not seeing any alerts.
You mention that you see the logs. Where are you seeing them?  
One option to check if the manager is receiving the events is to enable (temporarily) the logall option and check the /var/ossec/logs/archives/archives.log file to see if there are any log events coming from that remote syslog configuration. Remember to restart the manager after making any changes to the configuration.

If there are no Apex One log events there might some problem with the configuration. In that case, please share the configuration changes that you made to the manager so we can validate them.

If there are some Apex One log events but no alerts were generated it could be the logs are not being decoded correctly or they just do not trigger any rule. In that case, please share a couple of the log events so we can check the decoding and rule triggering.

Also, tell us what is your Wazuh version.

Regards!

[Francisco Tuduri]

Hello Abhi!

That's right, the manager is receiving the logs correctly but there is no decoder that can process those logs.
You will need to create a custom decoder and appropriate rules.
Here are a few reference guides you can read to learn how to do that:

• Creating decoders and rules from scratch
• Documentation for custom rules and decoders
• Decoder syntax
• Rules syntax
• wazuh-logtest

But to get you started you can use the following custom decoder (it is just extracting a few of the fields) and the following custom rule:

• Custom decoder

Add this to the file /var/ossec/etc/decoders/local_decoder.xml:

<decoder name="trend-micro">
        <program_name>CEF</program_name>
        <prematch>^0\|Trend Micro\|Apex Central\|2019\|</prematch>
</decoder>

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>
  <regex>0\|Trend Micro\|Apex Central\|2019\|(\d+)\|(\.+)\|(\d+)\|</regex>
  <order>apex.signatureId, apex.eventName, apex.severity</order>
</decoder>

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>
  <regex>rt=(\w+\s\d\d\s\d\d\d\d\s\d\d:\d\d:\d\d\sGMT\.\d\d:\d\d)\s+shost=(\w+)\s+</regex>
  <order>apex.rt, apex.shost</order>
</decoder>

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>
  <regex>\s+cs1Label=(\.+)\s+cs1=(\.+)\s+</regex>
  <order>apex.cs1Label, apex.cs1</order>
</decoder>

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>
  <regex>\s+cs2Label=(\.+)\s+cs2=(\.+)\s+</regex>
  <order>apex.cs2Label, apex.cs2</order>
</decoder>

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>
  <regex>\s+cs3Label=(\.+)\s+cs3=(\.+)\s+</regex>
  <order>apex.cs3Label, apex.cs3</order>
</decoder>

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>
  <regex>\s+cs4Label=(\.+)\s+cs4=(\.+)\s+</regex>
  <order>apex.cs4Label, apex.cs4</order>
</decoder>

• Custom rule

Add the following to the file /var/ossec/etc/rules/local_rules.xml:

<group name="trendMicro,">
<rule id="100010" level="3">
    <decoded_as>trend-micro</decoded_as>
    <field name="apex.eventName">Pattern Update Status</field>
    <description>Apex One pattern update status from $(apex.shost), severity $(apex.severity)</description>
</rule>
</group>


You can test the decoder and rule with the wazuh-logtest tool. Note that he log that you have to use with this tool should not have the header. So you have to remove this "2023 Mar 09 07:15:49 (tmavsyslog) any->/var/log/antivirus/av.log " to the log samples that you send me earlier.

Here is an output of the wazuh-logtest tool using one of those samples and the custom decoder and rule given above:

/var/ossec/bin# ./wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line

Mar  9 12:45:48 wu9gdd.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Mar 09 2023 07:11:16 GMT+00:00 shost=DESKTOP-CEKMUCS cs1Label=Operating_System cs1=Windows 10  cs2Label=Product/Endpoint_IP cs2=192.168.110.154 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=2048 cs5Label=Pattern/Rule_Version cs5=1632 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One msg=Damage Cleanup Template ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Workgroup\\

**Phase 1: Completed pre-decoding.
full event: 'Mar  9 12:45:48 wu9gdd.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|800101|Pattern Update Status|3|rt=Mar 09 2023 07:11:16 GMT+00:00 shost=DESKTOP-CEKMUCS cs1Label=Operating_System cs1=Windows 10  cs2Label=Product/Endpoint_IP cs2=192.168.110.154 cs3Label=Update_Agent cs3=0 cs4Label=Domain cs4=Workgroup cn1Label=Connection_Status cn1=100 cn2Label=Pattern/Rule cn2=2048 cs5Label=Pattern/Rule_Version cs5=1632 cn3Label=Pattern/Rule_Status cn3=1 cs6Label=AUComponent_Type cs6=2 deviceFacility=Apex One msg=Damage Cleanup Template ApexCentralHost=Apex Central as a Service deviceNtDomain=N/A dntdom=Workgroup\\ '
timestamp: 'Mar  9 12:45:48'
hostname: 'wu9gdd.manage.trendmicro.com'
program_name: 'CEF'

**Phase 2: Completed decoding.
name: 'trend-micro'
apex.cs1: 'Windows'
apex.cs1Label: 'Operating_System'
apex.cs2: '192.168.110.154'
apex.cs2Label: 'Product/Endpoint_IP'
apex.cs3: '0'
apex.cs3Label: 'Update_Agent'
apex.cs4: 'Workgroup'
apex.cs4Label: 'Domain'
apex.eventName: 'Pattern Update Status'
apex.rt: 'Mar 09 2023 07:11:16 GMT+00:00'
apex.severity: '3'
apex.shost: 'DESKTOP-CEKMUCS'
apex.signatureId: '800101'

**Phase 3: Completed filtering (rules).
id: '100010'
level: '3'
description: 'Apex One pattern update status from DESKTOP-CEKMUCS, severity 3'
groups: '['trendMicro']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.

In Phase 2 you can see all the decoded fields; in Phase 3 you can see that that sample log would trigger the rule 100010.
Of course, you can change the name of the fields, extract more fields with the decoder, and create the rules that fit your use cases.

Regards! 

[Abhijit Sarwade]

Thanks a lot Tuduri.  Not to include header for testing works good but then logs will have the headers so will decoder work as expected i.e will it populate all the phases (1,2 & 3) when actual event happens. 

[Abhijit Sarwade]

Hi Tuduri,

Thanks I can see events but only on category i.e Pattern Update Status so do I need to write multiple rules for each apex.eventname ?? or can we use wildcard.. any idea 

[Abhijit Sarwade]

Providing another sample event for which I am not able to see event for :

2023 Mar 10 11:21:42 (tmavsyslog) any->/var/log/antivirus/av.log Mar 10 16:51:41 wu9gdd.manage.trendmicro.com CEF: 0|Trend Micro|Apex Central|2019|AV:File quarantined|Eicar_test_1|3|deviceExternalId=535 rt=2023-03-10 11:20:57 cnt=1 dhost=ITCBPM0777 TMCMLogDetectedHost=ITCBPM0777 duser=DEVELOPMENT\\Administrator act=File quarantined cn1Label=Pattern cn1=1830100 cn2Label=Second_Action cn2=4 cs1Label=VLF_FunctionCode cs1=Real-time Scan cs2Label=Engine cs2=22.580.1004 cs3Label=Product_Version cs3=14.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=First_Action_Result cs5=Unable to clean file cs6Label=Second_Action_Result cs6=File quarantined cat=1703 dvchost=lwgjbn.manage.trendmicro.com cn3Label=Overall_Risk_Rating cn3=2 fname=5e43ff82-2ee5-4741-8920-9a8b71a062e7.tmp filePath=C:\\Users\\administrator\\Downloads\\ dst=192.168.100.18 TMCMLogDetectedIP=192.168.100.18 fileHash=3395856CE81F2B7382DEE72602F798B642F14140 deviceFacility=Apex One ApexCentralHost=Apex Central as a Service devicePayloadId=96004822D4F6-A9F911ED-BF35-B5DB-CC50 TMCMdevicePlatform=Windows 10 10.0 (Build 19045) deviceNtDomain=N/A dntdom=Development\\ 

On Friday, March 10, 2023 at 12:52:44 PM UTC+5:30 Abhijit Sarwade wrote:

[Francisco Tuduri]

Hello Abhi,

About the log header

When the manager saves the log event in archives.json it adds a small header with some metadata. So to the original log that was received, it adds that small header at the front.

Another way to see this is using the logall_json option, it will save every received event in the /var/ossec/logs/archives/archives.json in json format. If you take a look at the records on this file you will find an element with the name "full_log", that element contains the original log of the event, you can use that value directly on the wazuh-logtest tool.

Remember that both options, logall_json and logall, should only be used temporarily for debugging purposes. Otherwise, the involved files can grow in size very rapidly.

>>Thanks I can see events but only on category i.e Pattern Update Status so do I need to write multiple rules for each apex.eventname ?? or can we use wildcard.. any idea  

That depends on the rules.
The example rule I gave you has:

<field name="apex.eventName">Pattern Update Status</field>

That means that that rule will trigger an alert only if the field with name apex.eventName is "Pattern Update Status".

To fire an alert for every event received that is decoded by this trend.micro decoder you can try a rule similar to this one:

<group name="trendMicro,">
<rule id="100009" level="3">
    <decoded_as>trend-micro</decoded_as>
    <description>Apex One event: $(apex.eventName), severity $(apex.severity)</description>
</rule>
</group>

>>Providing another sample event for which I am not able to see event for :

I see. The custom decoder was not parsing correctly the first few fields.
Please replace the first child decoder with this

<decoder name="trend-micro-child">
  <parent>trend-micro</parent>

  <regex>0\|Trend Micro\|Apex Central\|2019\|(\.+)\|(\.+)\|(\d+)\|</regex>

  <order>apex.signatureId, apex.eventName, apex.severity</order>
</decoder>

Regards!