Protect Cloud Workloads with Azure Sentinel
Looking for SIEM and SOAR integration for your Trend Micro Cloud One™ – Workload Security investment? Learn how you can get Azure Sentinel capabilities added to Workload Security and how this integration can create a more valuable solution.
If you are looking to protect your cloud based workloads in Microsoft Azure, look no further than utilising Trend Micro Cloud One Workload Security!
Lately, I stumbled upon a pretty cool integration with Microsoft Azure Sentinel. If you are looking for SIEM and SOAR integration with your Trend Micro Cloud One Workload Security investment, this might be something to look into as an offering from Microsoft.
To get started, I created a test Ubuntu Linux Virtual Machine in my Microsoft Azure subscription, and deployed the Trend Micro Cloud One Workload Security agent programmatically shown below.
Huzzah! Next, we need to run our handy dandy Trend Micro Deep Security Test Application. We need this to generate some sample threat detections on our Virtual Machine protected by Trend Micro Cloud One for Workloads. Then, I will forward the event logs on to Microsoft Azure Sentinel for collection and analysis.
When the demo application is deployed, I am able to connect to my Microsoft Azure test Linux Virtual Machine via its public IP address to access the Trend Micro Deep Security Test Application. You can use this to generate security events by Trend Micro Cloud One Workload Security. This is shown below from my test Virtual Machine.
Yep, exciting stuff! Well, now we are going to need an Azure Sentinel Workspace! So, lets zoom on over to our Microsoft Azure subscription, and select Azure Sentinel from your services list.
When we setup Azure Sentinel, we need to setup a Log Analytics Workspace. This is used for storage and organisation of the streaming log data from Trend Micro Cloud One Workload Security.
Once your workspace is created, go ahead it add it to Microsoft Azure Sentinel.
Very Cool! Now you have a workspace that you can interact with to build out data connectors, workbooks, etc in Azure Sentinel.
Alllllllrighty then! Lets go through the process of setting up our data connector to get our event data from Trend Micro Cloud One Workload Security. You just need to click the data connectors section shown below, and search for Trend Micro. You then open the corresponding connector page for setup.
We will need to create a syslog/CEF collector Azure Virtual Machine. Go ahead and spin up another Ubuntu Linux Virtual Machine in your subscription for this purpose. After the machine is provisioned, you are going to want to execute and run the CEF Collector script on the Virtual Machine from the Trend Micro connector page.
Excellent! Now, we are going to want to head on over to Cloud One Workload Security to set up the SIEM Forwarder.
You are going to want to forward your CEF events from your Trend Micro Cloud One subscription tenant to the Azure Virtual Machine Sentinel collector. You do this on port 514 and/or secure and restrict access via IP, DNS, and TLS, per best practices in Microsoft Azure utilising network security groups.
Once the connection is completed, you are going to want to generate some test events using the Trend Micro Test Application. Commence button clicking!
Ok! Ok! that's enough button clicking generating those test threats. Let's see if they made into Azure Sentinel on your data connector. Wow! looks good! Connector is green and status is connected. That's a good sign! That means we are receiving data to Azure Sentinel and populating the Azure Sentinel Log Analytics Workspace.
Let’s check in on the Azure Sentinel overview page, and check the events that are coming in. Yep, looks good the workspace is being populated! We have liftoff!
Awesome! Trend Micro actually provides some Azure Sentinel workbooks along with the data connector that you can use with the solution for organising and correlating event data that is collected from the event logs. You can load and access those from the Workbooks section in Azure Sentinel.
Anti-Malware module test events from the workbook:
Web Reputation Module test events from the workbook:
Intrusion Prevention test events from the workbook:
Based on the event data that is collected, you can also build alerts as well that can correspond to an Azure Sentinel Incident that is requiring action. You can do that in the analytics section of Azure Sentinel to setup that workflow and automated response!
You can check out the incident details when they show up here, and assign an action and associated owner to the incident.
That's it my friends! This is how you can get Azure Sentinel SIEM/SOAR capabilities added to your Trend Micro Cloud One Workload Security solution! Thanks for stopping by! This was certainly a fun experiment to explore, and show the value and integration between two great solutions from Trend Micro and Microsoft!
Reference list for this article: