All Apps and Add-ons

"trendmicro" stanza typo in props.conf EVAL-severity expression

morganfw
Path Finder

Hi,
I've installed TA-trendmicro_cm_cef (Control Manager) v1.0.2 and splunkd.log reported following warning message

WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ).

I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly

EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical")

I've created a workaround in local/props.conf and pasted corrected strings for above eval expression

[trendmicro]
KV_MODE = none
REPORT-trendmicro_cef = trendmicro_cef
REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys
EVAL-date = date_month+" "+date_mday+" "+date_year
EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred")
EVAL-severity = case(CLF_SeverityCode="0", "Unknown",  CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical")
EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail)
EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser)
EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst)
EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)
FIELDALIAS-file_name = fname AS file_name
FIELDALIAS-file_path = filePath AS file_path
EVAL-product = "TrendMicro"
FIELDALIAS-product_version = VLF_PatternNumber AS product_version
EXTRACT-act = act=(?P<act>.+?) [\w\d]+=
EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+=
EXTRACT-fname = fname=(?P<fname>.+?)\s\w+=
EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+=
EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+=
FIELDALIAS-dest = dhost AS dest
FIELDALIAS-dest1 = shost AS dest

Is it possible to fix typo in next TA release?
Regards

0 Karma
1 Solution

inmanr
Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

View solution in original post

0 Karma

inmanr
Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

0 Karma

nhdpotter
Explorer

Hi. Thank you for the bugfix. For now I will update the app description to include the fix.

For future release I can correct this.

Do you happen to have any sample logs you could share with me? I developed the app with very minimal samples and would like to expand the addon if possible. But i don't have access to a Trend CM server.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...