From 69db811d934a9ae5c3fc18174c8ca96de1a6b743 Mon Sep 17 00:00:00 2001 From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com> Date: Fri, 21 Aug 2020 06:18:22 -0400 Subject: [PATCH] [filteradd] Trend Deep Security CEF (#651) --- docs/sources/Trend/index.md | 65 ++++ mkdocs.yml | 1 + .../lp-common_event_format.conf.tmpl | 55 ++++ .../splunk_metadata.csv.example | 14 + .../apps/SA-syslog-ng/default/indexes.conf | 5 + tests/test_trend_deep_security.py | 283 ++++++++++++++++++ 6 files changed, 423 insertions(+) create mode 100644 docs/sources/Trend/index.md create mode 100644 tests/test_trend_deep_security.py diff --git a/docs/sources/Trend/index.md b/docs/sources/Trend/index.md new file mode 100644 index 0000000..3011941 --- /dev/null +++ b/docs/sources/Trend/index.md @@ -0,0 +1,65 @@ +# Vendor - Trend Micro + +## Product - Deep Security + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on CEF | https://splunkbase.splunk.com/app/1936/ | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| deepsecurity-system_events | | +| deepsecurity-intrusion_prevention | | +| deepsecurity-integrity_monitoring | | +| deepsecurity-log_inspection | | +| deepsecurity-web_reputation | | +| deepsecurity-firewall | | +| deepsecurity-antimalware | | +| deepsecurity-app_control | | + + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +|Trend Micro_Deep Security Agent|deepsecurity|epintel|Used only if a correct source type is not matched| +|Trend Micro_Deep Security Agent_intrusion prevention|deepsecurity-intrusion_prevention|epintel|| +|Trend Micro_Deep Security Agent_integrity monitoring|deepsecurity-integrity_monitoring|epintel|| +|Trend Micro_Deep Security Agent_log inspection|deepsecurity-log_inspection|epintel|| +|Trend Micro_Deep Security Agent_web reputation|deepsecurity-web_reputation|epintel|| +|Trend Micro_Deep Security Agent_firewall|deepsecurity-firewall|epintel|| +|Trend Micro_Deep Security Agent_antimalware|deepsecurity-antimalware|epintel|| +|Trend Micro_Deep Security Agent_app control|deepsecurity-app_control|epintel|| +|Trend Micro_Deep Security Manager|deepsecurity-system_events|epintel|| + +### Filter type + +MSG Parse: This filter parses message content + +### Options + +Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_LISTEN_CEF_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers | +| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | +| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + +### Verification + +An active site will generate frequent events use the following search to check for new events + +Verify timestamp, and host values match as expected + +``` +index= (sourcetype="deepsecurity*") +``` diff --git a/mkdocs.yml b/mkdocs.yml index 0d7ff19..7b37c90 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,6 +39,7 @@ nav: - Schneider: sources/Schneider/index.md - Splunk: sources/Splunk/index.md - Symantec: sources/Symantec/index.md + - Trend: sources/Trend/index.md - Ubiquiti: sources/Ubiquiti/index.md - VMware: sources/VMWare/index.md - Zscaler: sources/Zscaler/index.md diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index f0f02ee..d763e41 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -106,6 +106,61 @@ log { parser { p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}")); }; + if { + filter{ + match("Trend Micro_Deep Security Agent" value("fields.sc4s_vendor_product")); + }; + if { + filter{ + match("^(10|[2-3][0-9][0-9]|[5-7][0-9][0-9]|8[0-4][0-9]|1[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("intrusion prevention" value("fields.cef_device_event_class")); + }; + } elif { + filter{ + match("^(20|21|1[0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("firewall" value("fields.cef_device_event_class")); + }; + } elif { + filter{ + match("^(4[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("antimalware" value("fields.cef_device_event_class")); + }; + } elif { + filter{ + match("^(30|2[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("integrity monitoring" value("fields.cef_device_event_class")); + }; + } elif { + filter{ + match("^(40|3[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("log inspection" value("fields.cef_device_event_class")); + }; + } elif { + filter{ + match("^(5[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("web reputation" value("fields.cef_device_event_class")); + }; + } elif { + filter{ + match("^(6[0-9][0-9][0-9][0-9][0-9][0-9])$" value("fields.cef_device_event_class")); + }; + rewrite { + set("app control" value("fields.cef_device_event_class")); + }; + }; + }; parser(p_cef_class); parser (compliance_meta_by_source); diff --git a/package/etc/context_templates/splunk_metadata.csv.example b/package/etc/context_templates/splunk_metadata.csv.example index 3fa4a11..5223f97 100644 --- a/package/etc/context_templates/splunk_metadata.csv.example +++ b/package/etc/context_templates/splunk_metadata.csv.example @@ -99,6 +99,20 @@ sc4s_metrics,index,em_metrics symantec_ep,index,epav symantec_brightmail,index,email syslogng_loggen,index,main +Trend Micro_Deep Security Agent,index,epintel +Trend Micro_Deep Security Agent,sc4s_template,t_legacy_hdr_msg +Trend Micro_Deep Security Agent_intrusion prevention,sourcetype,deepsecurity-intrusion_prevention +Trend Micro_Deep Security Agent_integrity monitoring,sourcetype,deepsecurity-integrity_monitoring +Trend Micro_Deep Security Agent_log inspection,sourcetype,deepsecurity-log_inspection +Trend Micro_Deep Security Agent_web reputation,sourcetype,deepsecurity-web_reputation +Trend Micro_Deep Security Agent_firewall,sourcetype,deepsecurity-firewall +Trend Micro_Deep Security Agent_antimalware,sourcetype,deepsecurity-antimalware +Trend Micro_Deep Security Agent_antimalware,index,epav +Trend Micro_Deep Security Manager,index,epintel +Trend Micro_Deep Security Agent_app control,sourcetype,deepsecurity-app_control +Trend Micro_Deep Security Manager,index,epintel +Trend Micro_Deep Security Manager,sc4s_template,t_legacy_hdr_msg +Trend Micro_Deep Security Manager,sourcetype,deepsecurity-system_events ubiquiti_unifi,index,netops ubiquiti_unifi_fw,index,netfw ubiquiti_unifi_link,index,netops diff --git a/splunk/etc/apps/SA-syslog-ng/default/indexes.conf b/splunk/etc/apps/SA-syslog-ng/default/indexes.conf index a2686f8..36dca29 100644 --- a/splunk/etc/apps/SA-syslog-ng/default/indexes.conf +++ b/splunk/etc/apps/SA-syslog-ng/default/indexes.conf @@ -14,6 +14,11 @@ homePath = $SPLUNK_DB/epav/db coldPath = $SPLUNK_DB/epav/colddb thawedPath = $SPLUNK_DB/epav/thaweddb +[epintel] +homePath = $SPLUNK_DB/epintel/db +coldPath = $SPLUNK_DB/epintel/colddb +thawedPath = $SPLUNK_DB/epintel/thaweddb + [em_metrics] datatype=metric homePath = $SPLUNK_DB/em_metrics/db diff --git a/tests/test_trend_deep_security.py b/tests/test_trend_deep_security.py new file mode 100644 index 0000000..62a9e89 --- /dev/null +++ b/tests/test_trend_deep_security.py @@ -0,0 +1,283 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause +import random + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +env = Environment() + + +def test_trend_deep_security_system( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Manager|0.0.0|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-system_events"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# Anti Malware +# CEF:0|Trend Micro|Deep Security Agent||4000000|Eicar_test_file|6|cn1=1 cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\\Users\\trend\\Desktop\\eicar.exe act=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM +def test_trend_deep_security_agent_antimalware( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Agent||4000000|Eicar_test_file|6|cn1=1 cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\\Users\\trend\\Desktop\\eicar.exe act=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="deepsecurity-antimalware"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# Application Control +# CEF: 0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202 cn1Label=Host ID dvc=192.168.33.128 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5 +def test_trend_deep_security_agent_appcontrol( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF: 0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202 cn1Label=Host ID dvc=192.168.33.128 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-app_control"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# Firewall event log format +# +def test_trend_deep_security_firewall( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Agent||20|Log for TCP Port 80|0|cn1=1 cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.147 out=1019 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-firewall"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# Integrity Monitoring +# +def test_trend_deep_security_integrity_monitoring( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Agent||30|New Integrity Monitoring Rule|6|cn1=1 cn1Label=Host ID dvchost=hostname act=updated filePath=c:\\windows\\message.dll suser=admin msg=lastModified,sha1,size\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-integrity_monitoring"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# IPS +def test_trend_deep_security_ips( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Agent||1001111|Test Intrusion Prevention Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.105 out=1093 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10 cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention Flags\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-intrusion_prevention"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# Log Inspection +# +def test_trend_deep_security_log_inspection( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Agent||3002795|Microsoft Windows Events|8|cn1=1 cn1Label=Host ID dvchost=hostname cs1Label=LI Description cs1=Multiple Windows Logon Failures fname=Security src=127.0.0.1 duser=(no user) shost=WIN-RM6HM42G65V msg=WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-log_inspection"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + + +# Web Reputation +# +def test_trend_deep_security_web_reputation( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trend Micro|Deep Security Agent||5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin\n" + ) + message = mt.render(mark="<111>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=epintel host="{{ host }}" sourcetype="deepsecurity-web_reputation"' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1