Solved: Trend Micro officescan and deepsecurity sourcetype...

rashid47010 · ‎06-30-2019

Maily I have three sourcetypes
sourcetype=Officescan ( workstation logs( signature update, malware etc)
sourcetype = deepsecurity ( servers, malware logs)
sourcetype = trendmicro ( TrendMicro Control centre logs)

I can see the sourecetype=trendmicro with tag=malware. but other I can't see although they have also tag=malware.

secondly how can I made the app CIM compliant.

rashid47010 · ‎06-30-2019

In continuation of above, I install the TA_officescan TA on search head and on ES.
on search Head I can see the proper field extration and tags assosication. whereas In ES i cant see field extration NOR tag association.
am i missing something.?

View solution in original post

rashid47010 · ‎06-30-2019

In continuation of above, I install the TA_officescan TA on search head and on ES.
on search Head I can see the proper field extration and tags assosication. whereas In ES i cant see field extration NOR tag association.
am i missing something.?

rashid47010 · ‎06-30-2019

Answering to myself:

the naming convention for splunk apps to be appear in Splunk ES.

Referrence URL: https://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#Import_add-ons_with_...

amankhan1 · ‎03-07-2020

HI Rashid, which TA did you use for officescan?

Trend Micro officescan and deepsecurity sourcetype as not papulating in Malware datamodel

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability