Solved: Trend Micro officescan and deepsecurity sourcetype...

rashid47010 · ‎06-30-2019

Maily I have three sourcetypes
sourcetype=Officescan ( workstation logs( signature update, malware etc)
sourcetype = deepsecurity ( servers, malware logs)
sourcetype = trendmicro ( TrendMicro Control centre logs)

I can see the sourecetype=trendmicro with tag=malware. but other I can't see although they have also tag=malware.

secondly how can I made the app CIM compliant.

rashid47010 · ‎06-30-2019

In continuation of above, I install the TA_officescan TA on search head and on ES.
on search Head I can see the proper field extration and tags assosication. whereas In ES i cant see field extration NOR tag association.
am i missing something.?

View solution in original post

rashid47010 · ‎06-30-2019

In continuation of above, I install the TA_officescan TA on search head and on ES.
on search Head I can see the proper field extration and tags assosication. whereas In ES i cant see field extration NOR tag association.
am i missing something.?

rashid47010 · ‎06-30-2019

Answering to myself:

the naming convention for splunk apps to be appear in Splunk ES.

Referrence URL: https://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#Import_add-ons_with_...

amankhan1 · ‎03-07-2020

HI Rashid, which TA did you use for officescan?

Trend Micro officescan and deepsecurity sourcetype as not papulating in Malware datamodel

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio