Splunk Enterprise

Integrate Trendmicro DDI with Splunk- Not parsing correctly?

Yadukrishnan
Explorer

Hi,

 

I integrated Trendmicro DDI with Splunk using the app. But in DDI, there is a gap in the signature name. Therefore when Splunk is parsing the signature name, it is only showing the first word and not the rest. 

For example if the signature name is "possible scanning activity" , I could see only in Splunk that the signature nae is "Possible" . The remaining is not coming up. Can some one please help with this. This is something very urgent. 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Yadukrishnan,

You can add the below line into your Trendmmicro DDI logs sourcetype. I also added appGroup and app to regex which you may have problems with because of space.

EXTRACT-values_with_spaces = appGroup=(?<appGroup>.+)\sapp=(?<app>.+)vLANId.*ruleName=(?<ruleName>.+)\sdeviceRiskConfidenceLevel
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Yadukrishnan,

You can add the below line into your Trendmmicro DDI logs sourcetype. I also added appGroup and app to regex which you may have problems with because of space.

EXTRACT-values_with_spaces = appGroup=(?<appGroup>.+)\sapp=(?<app>.+)vLANId.*ruleName=(?<ruleName>.+)\sdeviceRiskConfidenceLevel
If this reply helps you an upvote and "Accept as Solution" is appreciated.

Yadukrishnan
Explorer

Hi @scelikok,

Please see below the sample logs from DDI. 

 

Sep 19 08:33:17 host-XX-XX-XX-XX-XX.open.local CEF: 0|Trend Micro|Deep Discovery Inspector|6.2.XXXX|100119|SECURITY_RISK_DETECTION|2|ptype=IDS dvc=XX.XX.XXX.XXX deviceMacAddress=XX:XX:XX:XX:XX:XX dvchost=XXXX deviceGUID=XXXX-XXXX-XXXX-XXXX-XXXX rt=Sep 19 2022 08:33:10 GMT+03:00 appGroup=DNS Response app=DNS Response vLANId=4095 deviceDirection=1 dhost=XX.XX.XX.XX dst=XX.XX.XX.XX dpt=51330 dmac=XX:XX:XX:XX:XX:XX shost=XX.xx.com src=XX.XX.XX.XX spt=53 smac=XX:XX:XX:XX: cs3Label=HostName_Ext cs3=XX.xx.com malType=MALWARE fileType=-65536 fsize=0 ruleId=101 ruleName=DNS response resolves to dead IP address deviceRiskConfidenceLevel=2 cs8Label=BOT_URL cs8=7%3F01 cn3Label=Deep Discovery_PotentialRisk cn3=1 cs4Label=Deep Discovery_SrcGroup cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 cs9Label=Deep Discovery_DstGroup cs9=Default cs10Label=Deep Discovery_DstZone cs10=1 cs6Label=Deep Discovery_DetectionType cs6=1 pComp=NCIE act=not blocked cn4Label=Deep Discovery_ThreatType cn4=2 peerIp=XX.XX.XX.XX.XX interestedIp=XX.XX.XX.XX cnt=3 cn5Label=AggregatedCount cn5=1 evtCat=Suspicious Traffic evtSubCat=DNS cn2Label=APT Related cn2=0 externalId=47206390 compressedFileType=-65536 compressedFileHash=0000000000000000000000000000000000000000 hostSeverity=1 reason=["Domain: XX.XX.com"] devicePayloadId=2:47206390:

In the above logs, the one I have marked in Bold is the signature name. But in Splunk it is showing up as only DNS , none of the other values are showing up. Can you please help to solve this. 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Yadukrishnan,

Splunk automatic key value extraction stops ad spaces. That is why you may not see the full value in some fields. If you post a few sample events, I can suggest you an EXTRACT setting that you can add to your TrendmicroDDI sourcetype.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Yadukrishnan
Explorer

Hi @scelikok

Please see below the sample logs from DDI. 

 

Sep 19 08:33:17 host-XX-XX-XX-XX-XX.open.local CEF: 0|Trend Micro|Deep Discovery Inspector|6.2.XXXX|100119|SECURITY_RISK_DETECTION|2|ptype=IDS dvc=XX.XX.XXX.XXX deviceMacAddress=XX:XX:XX:XX:XX:XX dvchost=XXXX deviceGUID=XXXX-XXXX-XXXX-XXXX-XXXX rt=Sep 19 2022 08:33:10 GMT+03:00 appGroup=DNS Response app=DNS Response vLANId=4095 deviceDirection=1 dhost=XX.XX.XX.XX dst=XX.XX.XX.XX dpt=51330 dmac=XX:XX:XX:XX:XX:XX shost=XX.xx.com src=XX.XX.XX.XX spt=53 smac=XX:XX:XX:XX: cs3Label=HostName_Ext cs3=XX.xx.com malType=MALWARE fileType=-65536 fsize=0 ruleId=101 ruleName=DNS response resolves to dead IP address deviceRiskConfidenceLevel=2 cs8Label=BOT_URL cs8=7%3F01 cn3Label=Deep Discovery_PotentialRisk cn3=1 cs4Label=Deep Discovery_SrcGroup cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 cs9Label=Deep Discovery_DstGroup cs9=Default cs10Label=Deep Discovery_DstZone cs10=1 cs6Label=Deep Discovery_DetectionType cs6=1 pComp=NCIE act=not blocked cn4Label=Deep Discovery_ThreatType cn4=2 peerIp=XX.XX.XX.XX.XX interestedIp=XX.XX.XX.XX cnt=3 cn5Label=AggregatedCount cn5=1 evtCat=Suspicious Traffic evtSubCat=DNS cn2Label=APT Related cn2=0 externalId=47206390 compressedFileType=-65536 compressedFileHash=0000000000000000000000000000000000000000 hostSeverity=1 reason=["Domain: XX.XX.com"] devicePayloadId=2:47206390:

In the above logs, the one I have marked in Bold is the signature name. But in Splunk it is showing up as only DNS , none of the other values are showing up. Can you please help to solve this. 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...