Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=apex-central-overview

Overview of the Trend Micro Apex Central integration

Log collector Endpoint

You can integrate Trend Micro Apex Central with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Trend Micro Apex Central product overview

Sophos can ingest alerts from a wide range of Trend Micro products via Apex Central (For example, Apex One endpoint alerts). For a full list of Trend Micro tools that goes through Apex Central, see Apex Central issued documentation on their website.

Apex Central manages and administers security solutions like endpoint protection and mobile security. Offering a centralized management console, it brings visibility into security events and enhances protection measures with its real-time threat intelligence and analytics.

Sophos documents

Integrate Trend Micro Apex Central

What we ingest

Sample alerts seen by Sophos:

  • Data Loss Prevention
  • Update Status
  • Product Auditing Events
  • Advanced Threat Correlation Pattern
  • Early Launch Anti-Malware Pattern (64-bit)
  • Spyware/Grayware Pattern
  • Behavior Monitoring Policy Descriptions
  • Data Protection Application Pattern
  • Device Access Control
  • HTTP_HNAP1_RCE_EXPLOIT_NC_
  • Memory Scan Trigger Pattern (32-bit)
  • Web Reputation Endpoint Patch Pattern
  • HTTP_REMOTECODE_EXECUTION_REQUEST-2_NC_
  • HTTP_ZTE_F460_F660_RCE_EXPLOIT_NC_
  • HackTool.Win32.PortScan.SWO
  • Suspicious Files Engine: TCP anomaly detected

Filtering

We allow only messages in standard CEF format.

Sample threat mappings

Depending on the alert classification and the fields it contains, we use one of the following to define the alert:

  • If the alert is of type web_security_cat we use the field cat.
  • If the field cn1, cs1, or cs2 is present, we use that.

Otherwise, we default to the "def.name.

Sample mappings:

{"alertType": "Suspicious Files", "threatId": "TA0002", "threatName": "Execution"}
{"alertType": "Endpoint Sensor Trusted Pattern", "threatId": "T1518.001", "threatName": "Security Software Discovery"}
{"alertType": "Web Reputation Endpoint Patch Pattern", "threatId": "T1562.001", "threatName": "Disable or Modify Tools"}
{"alertType": "Device Access Control", "threatId": "TA0004", "threatName": "Privilege Escalation"}
{"alertType": "Web reputation", "threatId": "TA0001", "threatName": "Initial Access"}
{"alertType": "Digital Signature Pattern", "threatId": "T1553.002", "threatName": "Code Signing"}
{"alertType": "Early Boot Clean Driver (64-bit)", "threatId": "T1037.005", "threatName": "Startup Items"}
{"alertType": "CnC Callback", "threatId": "TA0011", "threatName": "Command and Control"}
{"alertType": "Product Auditing Events","threatId": "T1016", "threatName": "System Network Configuration Discovery"}
{"alertType": "Global C&C IP List", "threatId": "TA0011", "threatName": "Command and Control"}
{"alertType": "IntelliTrap Pattern", "threatId": "TA0002", "threatName": "Execution"}
{"alertType": "IntelliTrap Exception Pattern", "threatId": "TA0002", "threatName": "Execution"}
{"alertType": "Policy Enforcement Pattern", "threatId": "T1484.001", "threatName": "Group Policy Modification"}

Vendor documentation

SIEM solutions integration with Apex Central