topic Re: Integrate Trendmicro DDI with Splunk- Not parsing correctly? in Splunk Enterprise

Integrate Trendmicro DDI with Splunk- Not parsing correctly?

Yadukrishnan — Mon, 19 Sep 2022 15:42:36 GMT

Hi,

I integrated Trendmicro DDI with Splunk using the app. But in DDI, there is a gap in the signature name. Therefore when Splunk is parsing the signature name, it is only showing the first word and not the rest.

For example if the signature name is "possible scanning activity" , I could see only in Splunk that the signature nae is "Possible" . The remaining is not coming up. Can some one please help with this. This is something very urgent.

Re: Integrate Trendmicro DDI with Splunk

scelikok — Mon, 19 Sep 2022 09:57:31 GMT

Hi @Yadukrishnan,

Splunk automatic key value extraction stops ad spaces. That is why you may not see the full value in some fields. If you post a few sample events, I can suggest you an EXTRACT setting that you can add to your TrendmicroDDI sourcetype.

Re: Integrate Trendmicro DDI with Splunk

Yadukrishnan — Mon, 19 Sep 2022 11:30:05 GMT

Hi @scelikok,

Please see below the sample logs from DDI.

Sep 19 08:33:17 host-XX-XX-XX-XX-XX.open.local CEF: 0|Trend Micro|Deep Discovery Inspector|6.2.XXXX|100119|SECURITY_RISK_DETECTION|2|ptype=IDS dvc=XX.XX.XXX.XXX deviceMacAddress=XX:XX:XX:XX:XX:XX dvchost=XXXX deviceGUID=XXXX-XXXX-XXXX-XXXX-XXXX rt=Sep 19 2022 08:33:10 GMT+03:00 appGroup=DNS Response app=DNS Response vLANId=4095 deviceDirection=1 dhost=XX.XX.XX.XX dst=XX.XX.XX.XX dpt=51330 dmac=XX:XX:XX:XX:XX:XX shost=XX.xx.com src=XX.XX.XX.XX spt=53 smac=XX:XX:XX:XX: cs3Label=HostName_Ext cs3=XX.xx.com malType=MALWARE fileType=-65536 fsize=0 ruleId=101 ruleName=DNS response resolves to dead IP address deviceRiskConfidenceLevel=2 cs8Label=BOT_URL cs8=7%3F01 cn3Label=Deep Discovery_PotentialRisk cn3=1 cs4Label=Deep Discovery_SrcGroup cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 cs9Label=Deep Discovery_DstGroup cs9=Default cs10Label=Deep Discovery_DstZone cs10=1 cs6Label=Deep Discovery_DetectionType cs6=1 pComp=NCIE act=not blocked cn4Label=Deep Discovery_ThreatType cn4=2 peerIp=XX.XX.XX.XX.XX interestedIp=XX.XX.XX.XX cnt=3 cn5Label=AggregatedCount cn5=1 evtCat=Suspicious Traffic evtSubCat=DNS cn2Label=APT Related cn2=0 externalId=47206390 compressedFileType=-65536 compressedFileHash=0000000000000000000000000000000000000000 hostSeverity=1 reason=["Domain: XX.XX.com"] devicePayloadId=2:47206390:

In the above logs, the one I have marked in Bold is the signature name. But in Splunk it is showing up as only DNS , none of the other values are showing up. Can you please help to solve this.

Re: Integrate Trendmicro DDI with Splunk

Yadukrishnan — Mon, 19 Sep 2022 11:30:44 GMT

Hi @scelikok

Please see below the sample logs from DDI.

In the above logs, the one I have marked in Bold is the signature name. But in Splunk it is showing up as only DNS , none of the other values are showing up. Can you please help to solve this.

Re: Integrate Trendmicro DDI with Splunk- Not parsing correctly?

scelikok — Tue, 20 Sep 2022 04:07:55 GMT

Hi @Yadukrishnan,

You can add the below line into your Trendmmicro DDI logs sourcetype. I also added appGroup and app to regex which you may have problems with because of space.

EXTRACT-values_with_spaces = appGroup=(?<appGroup>.+)\sapp=(?<app>.+)vLANId.*ruleName=(?<ruleName>.+)\sdeviceRiskConfidenceLevel