All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to modify default fields in Trend Micro Deep Security for Splunk?

emixam3
Explorer
‎05-23-2017 05:49 AM

Hi,
I'm receiving syslog flow from Trend Micro Deep Security.
After installing the app for Splunk, I would like to check how the fields are populate by it. I've got an issue with the field "DPI_Reason", where I can find the Trend Micro rule number.
The field in the raw data is, for example, "502", but the field in splunk is "-502". And it only populate the field with default values like 502 or 504, not with custom rules like 1001234.

Thanks

Max

0 Karma
Reply

aakwah
Builder
‎05-23-2017 08:23 AM

Hello,

Make sure that Deep Security is sending syslog messages with Common Event Format (CEF) as syslog format.

On Deep Security web interface:

Administration -> System Settings -> SIEM -> Syslog Format (Common Event Format).

Hope this helps.

Regards

0 Karma
Reply

idurrani
New Member
‎10-18-2017 05:16 PM

Hello,

Deep Security manager is sending traffic to splunk and splunk is getting the events but not showing it on UI. For example I see DSM sending messages on UDP port 10702 that are received by Splunk but I can't see them. Splunk has the Deep Security manager app configured. Please help?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...