All Apps and Add-ons

"trendmicro" stanza typo in props.conf EVAL-severity expression

morganfw
Path Finder

Hi,
I've installed TA-trendmicro_cm_cef (Control Manager) v1.0.2 and splunkd.log reported following warning message

WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ).

I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly

EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical")

I've created a workaround in local/props.conf and pasted corrected strings for above eval expression

[trendmicro]
KV_MODE = none
REPORT-trendmicro_cef = trendmicro_cef
REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys
EVAL-date = date_month+" "+date_mday+" "+date_year
EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred")
EVAL-severity = case(CLF_SeverityCode="0", "Unknown",  CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical")
EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail)
EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser)
EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst)
EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)
FIELDALIAS-file_name = fname AS file_name
FIELDALIAS-file_path = filePath AS file_path
EVAL-product = "TrendMicro"
FIELDALIAS-product_version = VLF_PatternNumber AS product_version
EXTRACT-act = act=(?P<act>.+?) [\w\d]+=
EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+=
EXTRACT-fname = fname=(?P<fname>.+?)\s\w+=
EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+=
EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+=
FIELDALIAS-dest = dhost AS dest
FIELDALIAS-dest1 = shost AS dest

Is it possible to fix typo in next TA release?
Regards

0 Karma
1 Solution

inmanr
Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

View solution in original post

0 Karma

inmanr
Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

0 Karma

nhdpotter
Explorer

Hi. Thank you for the bugfix. For now I will update the app description to include the fix.

For future release I can correct this.

Do you happen to have any sample logs you could share with me? I developed the app with very minimal samples and would like to expand the addon if possible. But i don't have access to a Trend CM server.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...