All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trend Micro Deep Security for Splunk App

chclloydmercer
Engager
‎01-11-2019 01:50 AM

We have Deep Security SaaS and wish to forward events to Splunk Cloud.
I configured as follows:

Deep SaaS forward all events to AWS SNS topic
Created SQS queue and subscribed to the above
Configured an input on existing heavy forwarder (Splunk add-on for AWS) to pick up the SQS messages and tag a source type of "deepsecurity" and forward to splunk cloud

I have 2 issues:

  1. Deep Security App dashboards are empty, this is due to the sourcetype being deepsecurity and not what it expects for example deepsecurity-antimalware, does anyone know how best to tag the correct sourcetypes.

  2. It appears that when sent via SNS that multiple events are bundled into one message, can anyone suggest how to separate them when using the SaaS ==> SNS ==> SQS ==>HF ==> Splunk cloud route.

Ultimately i'm also open to any ideas on how best to send the messages from DSaaS to Splunk Cloud, we'd prefer not to use syslog due to the need to expose a public facing endpoint.

0 Karma
Reply

skp2094
Engager
‎10-05-2021 12:42 AM

Hi Sir/Madam

 

Could you pleases help me out from the same problem? Very important for me

0 Karma
Reply

chclloydmercer
Engager
‎01-16-2019 12:57 AM

In the end, instead of using SQS to process the messages we used a python based lambda function to split the events and send to the Splunk HEC where the sourcetype was applied.

The dashboards were empty due to Field transformations expecting CEF based events, this is not the case when delivered by SNS so modification of the RegEx was required.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...