Overview
Blumira’s modern cloud SIEM platform integrates with Trend Micro Apex One EndPoint Security to detect cybersecurity threats and provides actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Trend Micro Apex One will stream security event logs to the Blumira service for automated threat detection and actionable response.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Configuring Apex One logging
To forward supported logs to Blumira:
- Go to Administration > Settings > Syslog Settings.
- In the Syslog Settings window, select the Enable syslog forwarding check box.
- Configure a server to receive the syslogs:
- In Server address, type the Blumira sensor's IP address.
- In Port, type 514.
- In Protocol, select the transmission protocol TCP.
Notes:- If SSL/TLS is selected, Apex Central accepts valid self-signed certificates by default.
- If the server certificate contains a Subject Alternative Name, the Subject Alternative Name must contain the server FQDN or IP address.
- For additional security, use a valid server certificate or upload the server certificate to Apex Central.
- (Optional) To upload a server certificate:
- Select the Use server certificate check box.
- Click Select to select the server certificate from your computer.
- Click Open, and Apex Central uploads the selected server certificate.
Note: Apex Central only supports server certificates in X.509 format with .DER or .PEM encoding and only supports uploading server certificates for SSL/TLS transmissions.
- (Optional) To use a proxy server for Syslog forwarding, select the Use a SOCKS proxy server check box.
Note: Apex Central only supports syslog forwarding over a SOCKS protocol proxy server for SSL/TLS or TCP transmissions. Syslog forwarding does not support HTTP proxy servers. To use a proxy server for syslog forwarding, click Configure proxy settings and select a SOCKS protocol server on the Proxy Settings screen. - Select the log format CEF.
- Configure the frequency of log forwarding. This should be every few minutes at the most to ensure the greatest detection.
- Select the log type(s) to forward:
- Select all log categories from the Log type dropdown. You can select log types from multiple log categories.
- Select the check box(es) for the log(s) you want to forward.
- Select another log category from the Log type menu to ensure full coverage.
- (Optional) Click Test connection to test the server connection; the connection status appears at the top of the screen.
Note: This does not save the Syslog settings, but when using TCP or SSL/TLS it should help to identify the configuration status. - Click Save.
Reference: For more information from Trend Micro, see the following links: