All Apps and Add-ons

"trendmicro" stanza typo in props.conf EVAL-severity expression

morganfw
Path Finder

Hi,
I've installed TA-trendmicro_cm_cef (Control Manager) v1.0.2 and splunkd.log reported following warning message

WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ).

I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly

EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical")

I've created a workaround in local/props.conf and pasted corrected strings for above eval expression

[trendmicro]
KV_MODE = none
REPORT-trendmicro_cef = trendmicro_cef
REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys
EVAL-date = date_month+" "+date_mday+" "+date_year
EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred")
EVAL-severity = case(CLF_SeverityCode="0", "Unknown",  CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical")
EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail)
EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser)
EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst)
EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)
FIELDALIAS-file_name = fname AS file_name
FIELDALIAS-file_path = filePath AS file_path
EVAL-product = "TrendMicro"
FIELDALIAS-product_version = VLF_PatternNumber AS product_version
EXTRACT-act = act=(?P<act>.+?) [\w\d]+=
EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+=
EXTRACT-fname = fname=(?P<fname>.+?)\s\w+=
EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+=
EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+=
FIELDALIAS-dest = dhost AS dest
FIELDALIAS-dest1 = shost AS dest

Is it possible to fix typo in next TA release?
Regards

0 Karma
1 Solution

inmanr
Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

View solution in original post

0 Karma

inmanr
Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

0 Karma

nhdpotter
Explorer

Hi. Thank you for the bugfix. For now I will update the app description to include the fix.

For future release I can correct this.

Do you happen to have any sample logs you could share with me? I developed the app with very minimal samples and would like to expand the addon if possible. But i don't have access to a Trend CM server.

Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...