Configuring Syslog Connector (CEF content mapping)

To forward Vision One XDR logs (Workbench, Observed Attack Techniques, Account Audit, and System Audit) in CEF format, complete the following steps.

Procedure

  1. Log in to Trend Micro Vision One console.
  2. Go to Workflow & Automation > Third-party Integration > Syslog Connector > Syslog Configurations.
  3. Enable the Syslog Connector.
  4. Select the event types to forward:
    • Workbench alerts
    • Observed Attack Techniques
    • Audit Logs
  5. Click Connect Syslog Server and configure:
    • Server Address: QRadar IP or FQDN
    • Port: 514 (UDP/TCP) or 6514 (TLS)
    • Syslog Format: Select CEF
    • Protocol: UDP, TCP, or TLS
    • Certificates: Upload or configure if TLS is selected
  6. Select a Service Gateway appliance with the Syslog Connector service installed from the Service Gateway drop-down list.
  7. Optional: Test Connection, then click Connect to apply.