All Apps and Add-ons

Trend Micro Deep Security for Splunk App

chclloydmercer
Engager

We have Deep Security SaaS and wish to forward events to Splunk Cloud.
I configured as follows:

Deep SaaS forward all events to AWS SNS topic
Created SQS queue and subscribed to the above
Configured an input on existing heavy forwarder (Splunk add-on for AWS) to pick up the SQS messages and tag a source type of "deepsecurity" and forward to splunk cloud

I have 2 issues:

  1. Deep Security App dashboards are empty, this is due to the sourcetype being deepsecurity and not what it expects for example deepsecurity-antimalware, does anyone know how best to tag the correct sourcetypes.

  2. It appears that when sent via SNS that multiple events are bundled into one message, can anyone suggest how to separate them when using the SaaS ==> SNS ==> SQS ==>HF ==> Splunk cloud route.

Ultimately i'm also open to any ideas on how best to send the messages from DSaaS to Splunk Cloud, we'd prefer not to use syslog due to the need to expose a public facing endpoint.

0 Karma

skp2094
Engager

Hi Sir/Madam

 

Could you pleases help me out from the same problem? Very important for me

0 Karma

chclloydmercer
Engager

In the end, instead of using SQS to process the messages we used a python based lambda function to split the events and send to the Splunk HEC where the sourcetype was applied.

The dashboards were empty due to Field transformations expecting CEF based events, this is not the case when delivered by SNS so modification of the RegEx was required.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...