Trend Micro Apex Central
You can integrate Apex Central with Sophos Central so that it sends audit data to Sophos for analysis.
This integration uses a log collector hosted on a virtual machine (VM). Together they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.
This page describes integration using an appliance on ESXi or Hyper-V. If you want to integrate using an appliance on AWS, see Integrations on AWS.
Key steps
The key steps in an integration are as follows:
- Add an integration for this product. In this step, you create an image of the appliance.
- Download and deploy the image on your VM. This becomes your appliance.
- Configure Apex Central to send data to the appliance.
Requirements
Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.
Add an integration
To integrate Apex Central with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
-
Click Trend Micro Apex Central.
The Trend Micro Apex Central page opens. You can add integrations here and see a list of any you've already added.
-
In Data Ingest (Security Alerts), click Add Configuration.
Note
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
Integration setup steps appears.
Configure the appliance
In Integration setup steps, you can configure a new appliance or use an existing one.
We assume here that you configure a new appliance. To do this, create an image as follows:
- Add a name and description for the new integration.
- Click Create new appliance.
- Enter a name and description for the appliance.
- Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.
-
Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.
-
Select DHCP to assign the IP address automatically.
Note
If you select DHCP, you must reserve the IP address.
-
Select Manual to specify network settings.
-
-
Select the Syslog IP version and enter the Syslog IP address.
You'll need this syslog IP address later, when you configure Apex Central to send data to your appliance.
-
Select a Protocol.
You must use the same protocol when you configure Apex Central to send data to your appliance.
-
Click Save.
We create the integration and it appears in your list.
In the integration details, you can see the port number for the appliance. You'll need this later when you configure Apex Central to send data to it.
It might take a few minutes for the appliance image to be ready.
Deploy the appliance
Restriction
If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.
Use the image to deploy the appliance as follows:
- In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
- When the image download finishes, deploy it on your VM. See Deploy an appliance.
Configure Apex Central
Now configure Apex Central to send audit data to your appliance.
Note
You can configure multiple instances of Apex Central to send data to Sophos via the same appliance. After you finish integration, repeat the steps in this section for your other instances of Apex Central. You don't need to repeat the steps in Sophos Central.
Configure Apex Central as follows:
- Go to Detections > Notifications > Notification Method Settings.
-
In the Syslog Settings section, enter the following:
- Server IP address: The syslog IP address of your appliance. You set this earlier in Sophos Central.
- Port: The port number of your appliance.
- Facility: Select the facility code.
-
Click Save.
Turn on syslog forwarding
We use syslog forwarding to send data to the Sophos appliance.
To forward syslog traffic, do as follows:
- Log in to Apex Central console using an Administrator account.
- Go to Administration > Settings > Syslog Settings.
- Select Enable syslog forwarding.
-
Configure the following settings:
- Server address: The syslog IP address of your appliance.
- Port: The port number of your Sophos appliance.
- Protocol: Select TCP or UDP. Choose the same one that you set up for your appliance.
-
Select CEF as the log format:
-
Select the log types to forward:
-
Select a log category from the Log type drop-down list:
- Security logs
- Product information
-
Select the check boxes for the logs you want to forward. Apex Central shows the total number of selected log types next to the Log type list.
- You can select another log category from Log type dropdown list.
-
-
Click Test Connection to test the server connection. The syslog server connection status appears at the top of the screen.
-
Click Save.
Apex Central starts forwarding logs to your appliance. The data should appear in the Sophos Data Lake after validation.
To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.