Skip to content

Commit

Permalink
[filteradd] Trend Deep Security CEF (#651)
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Faircloth authored and GitHub committed Aug 21, 2020
1 parent 7d519c2 commit 69db811
Show file tree
Hide file tree
Showing 6 changed files with 423 additions and 0 deletions.
65 changes: 65 additions & 0 deletions docs/sources/Trend/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Vendor - Trend Micro

## Product - Deep Security

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on CEF | https://splunkbase.splunk.com/app/1936/ |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| deepsecurity-system_events | |
| deepsecurity-intrusion_prevention | |
| deepsecurity-integrity_monitoring | |
| deepsecurity-log_inspection | |
| deepsecurity-web_reputation | |
| deepsecurity-firewall | |
| deepsecurity-antimalware | |
| deepsecurity-app_control | |


### Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
|Trend Micro_Deep Security Agent|deepsecurity|epintel|Used only if a correct source type is not matched|
|Trend Micro_Deep Security Agent_intrusion prevention|deepsecurity-intrusion_prevention|epintel||
|Trend Micro_Deep Security Agent_integrity monitoring|deepsecurity-integrity_monitoring|epintel||
|Trend Micro_Deep Security Agent_log inspection|deepsecurity-log_inspection|epintel||
|Trend Micro_Deep Security Agent_web reputation|deepsecurity-web_reputation|epintel||
|Trend Micro_Deep Security Agent_firewall|deepsecurity-firewall|epintel||
|Trend Micro_Deep Security Agent_antimalware|deepsecurity-antimalware|epintel||
|Trend Micro_Deep Security Agent_app control|deepsecurity-app_control|epintel||
|Trend Micro_Deep Security Manager|deepsecurity-system_events|epintel||

### Filter type

MSG Parse: This filter parses message content

### Options

Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the "Common Event Format" source
documentation for more information.

### Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

```
index=<asconfigured> (sourcetype="deepsecurity*")
```
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ nav:
- Schneider: sources/Schneider/index.md
- Splunk: sources/Splunk/index.md
- Symantec: sources/Symantec/index.md
- Trend: sources/Trend/index.md
- Ubiquiti: sources/Ubiquiti/index.md
- VMware: sources/VMWare/index.md
- Zscaler: sources/Zscaler/index.md
Expand Down
55 changes: 55 additions & 0 deletions package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,61 @@ log {
parser {
p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
};
if {
filter{
match("Trend Micro_Deep Security Agent" value("fields.sc4s_vendor_product"));
};
if {
filter{
match("^(10|[2-3][0-9][0-9]|[5-7][0-9][0-9]|8[0-4][0-9]|1[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("intrusion prevention" value("fields.cef_device_event_class"));
};
} elif {
filter{
match("^(20|21|1[0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("firewall" value("fields.cef_device_event_class"));
};
} elif {
filter{
match("^(4[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("antimalware" value("fields.cef_device_event_class"));
};
} elif {
filter{
match("^(30|2[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("integrity monitoring" value("fields.cef_device_event_class"));
};
} elif {
filter{
match("^(40|3[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("log inspection" value("fields.cef_device_event_class"));
};
} elif {
filter{
match("^(5[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("web reputation" value("fields.cef_device_event_class"));
};
} elif {
filter{
match("^(6[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class"));
};
rewrite {
set("app control" value("fields.cef_device_event_class"));
};
};
};
parser(p_cef_class);

parser (compliance_meta_by_source);
Expand Down
14 changes: 14 additions & 0 deletions package/etc/context_templates/splunk_metadata.csv.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,20 @@ sc4s_metrics,index,em_metrics
symantec_ep,index,epav
symantec_brightmail,index,email
syslogng_loggen,index,main
Trend Micro_Deep Security Agent,index,epintel
Trend Micro_Deep Security Agent,sc4s_template,t_legacy_hdr_msg
Trend Micro_Deep Security Agent_intrusion prevention,sourcetype,deepsecurity-intrusion_prevention
Trend Micro_Deep Security Agent_integrity monitoring,sourcetype,deepsecurity-integrity_monitoring
Trend Micro_Deep Security Agent_log inspection,sourcetype,deepsecurity-log_inspection
Trend Micro_Deep Security Agent_web reputation,sourcetype,deepsecurity-web_reputation
Trend Micro_Deep Security Agent_firewall,sourcetype,deepsecurity-firewall
Trend Micro_Deep Security Agent_antimalware,sourcetype,deepsecurity-antimalware
Trend Micro_Deep Security Agent_antimalware,index,epav
Trend Micro_Deep Security Manager,index,epintel
Trend Micro_Deep Security Agent_app control,sourcetype,deepsecurity-app_control
Trend Micro_Deep Security Manager,index,epintel
Trend Micro_Deep Security Manager,sc4s_template,t_legacy_hdr_msg
Trend Micro_Deep Security Manager,sourcetype,deepsecurity-system_events
ubiquiti_unifi,index,netops
ubiquiti_unifi_fw,index,netfw
ubiquiti_unifi_link,index,netops
Expand Down
5 changes: 5 additions & 0 deletions splunk/etc/apps/SA-syslog-ng/default/indexes.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ homePath = $SPLUNK_DB/epav/db
coldPath = $SPLUNK_DB/epav/colddb
thawedPath = $SPLUNK_DB/epav/thaweddb

[epintel]
homePath = $SPLUNK_DB/epintel/db
coldPath = $SPLUNK_DB/epintel/colddb
thawedPath = $SPLUNK_DB/epintel/thaweddb

[em_metrics]
datatype=metric
homePath = $SPLUNK_DB/em_metrics/db
Expand Down

0 comments on commit 69db811

Please sign in to comment.