We have Deep Security SaaS and wish to forward events to Splunk Cloud.
I configured as follows:
Deep SaaS forward all events to AWS SNS topic
Created SQS queue and subscribed to the above
Configured an input on existing heavy forwarder (Splunk add-on for AWS) to pick up the SQS messages and tag a source type of "deepsecurity" and forward to splunk cloud
I have 2 issues:
Deep Security App dashboards are empty, this is due to the sourcetype being deepsecurity and not what it expects for example deepsecurity-antimalware, does anyone know how best to tag the correct sourcetypes.
It appears that when sent via SNS that multiple events are bundled into one message, can anyone suggest how to separate them when using the SaaS ==> SNS ==> SQS ==>HF ==> Splunk cloud route.
Ultimately i'm also open to any ideas on how best to send the messages from DSaaS to Splunk Cloud, we'd prefer not to use syslog due to the need to expose a public facing endpoint.