All Apps and Add-ons
Highlighted

Trend Micro Deep Security for Splunk App

We have Deep Security SaaS and wish to forward events to Splunk Cloud.
I configured as follows:

Deep SaaS forward all events to AWS SNS topic
Created SQS queue and subscribed to the above
Configured an input on existing heavy forwarder (Splunk add-on for AWS) to pick up the SQS messages and tag a source type of "deepsecurity" and forward to splunk cloud

I have 2 issues:

  1. Deep Security App dashboards are empty, this is due to the sourcetype being deepsecurity and not what it expects for example deepsecurity-antimalware, does anyone know how best to tag the correct sourcetypes.

  2. It appears that when sent via SNS that multiple events are bundled into one message, can anyone suggest how to separate them when using the SaaS ==> SNS ==> SQS ==>HF ==> Splunk cloud route.

Ultimately i'm also open to any ideas on how best to send the messages from DSaaS to Splunk Cloud, we'd prefer not to use syslog due to the need to expose a public facing endpoint.

0 Karma
Highlighted

Re: Trend Micro Deep Security for Splunk App

In the end, instead of using SQS to process the messages we used a python based lambda function to split the events and send to the Splunk HEC where the sourcetype was applied.

The dashboards were empty due to Field transformations expecting CEF based events, this is not the case when delivered by SNS so modification of the RegEx was required.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.