Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Integrate Trendmicro DDI with Splunk- Not parsing correctly?

Yadukrishnan
Explorer
‎09-19-2022 02:08 AM

Hi,

 

I integrated Trendmicro DDI with Splunk using the app. But in DDI, there is a gap in the signature name. Therefore when Splunk is parsing the signature name, it is only showing the first word and not the rest. 

For example if the signature name is "possible scanning activity" , I could see only in Splunk that the signature nae is "Possible" . The remaining is not coming up. Can some one please help with this. This is something very urgent. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-19-2022 09:07 PM

Hi @Yadukrishnan,

You can add the below line into your Trendmmicro DDI logs sourcetype. I also added appGroup and app to regex which you may have problems with because of space.

EXTRACT-values_with_spaces = appGroup=(?<appGroup>.+)\sapp=(?<app>.+)vLANId.*ruleName=(?<ruleName>.+)\sdeviceRiskConfidenceLevel
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-19-2022 09:07 PM

Hi @Yadukrishnan,

You can add the below line into your Trendmmicro DDI logs sourcetype. I also added appGroup and app to regex which you may have problems with because of space.

EXTRACT-values_with_spaces = appGroup=(?<appGroup>.+)\sapp=(?<app>.+)vLANId.*ruleName=(?<ruleName>.+)\sdeviceRiskConfidenceLevel
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Yadukrishnan
Explorer
‎09-19-2022 04:30 AM

Hi @scelikok,

Please see below the sample logs from DDI. 

 

Sep 19 08:33:17 host-XX-XX-XX-XX-XX.open.local CEF: 0|Trend Micro|Deep Discovery Inspector|6.2.XXXX|100119|SECURITY_RISK_DETECTION|2|ptype=IDS dvc=XX.XX.XXX.XXX deviceMacAddress=XX:XX:XX:XX:XX:XX dvchost=XXXX deviceGUID=XXXX-XXXX-XXXX-XXXX-XXXX rt=Sep 19 2022 08:33:10 GMT+03:00 appGroup=DNS Response app=DNS Response vLANId=4095 deviceDirection=1 dhost=XX.XX.XX.XX dst=XX.XX.XX.XX dpt=51330 dmac=XX:XX:XX:XX:XX:XX shost=XX.xx.com src=XX.XX.XX.XX spt=53 smac=XX:XX:XX:XX: cs3Label=HostName_Ext cs3=XX.xx.com malType=MALWARE fileType=-65536 fsize=0 ruleId=101 ruleName=DNS response resolves to dead IP address deviceRiskConfidenceLevel=2 cs8Label=BOT_URL cs8=7%3F01 cn3Label=Deep Discovery_PotentialRisk cn3=1 cs4Label=Deep Discovery_SrcGroup cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 cs9Label=Deep Discovery_DstGroup cs9=Default cs10Label=Deep Discovery_DstZone cs10=1 cs6Label=Deep Discovery_DetectionType cs6=1 pComp=NCIE act=not blocked cn4Label=Deep Discovery_ThreatType cn4=2 peerIp=XX.XX.XX.XX.XX interestedIp=XX.XX.XX.XX cnt=3 cn5Label=AggregatedCount cn5=1 evtCat=Suspicious Traffic evtSubCat=DNS cn2Label=APT Related cn2=0 externalId=47206390 compressedFileType=-65536 compressedFileHash=0000000000000000000000000000000000000000 hostSeverity=1 reason=["Domain: XX.XX.com"] devicePayloadId=2:47206390:

In the above logs, the one I have marked in Bold is the signature name. But in Splunk it is showing up as only DNS , none of the other values are showing up. Can you please help to solve this. 

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎09-19-2022 02:57 AM

Hi @Yadukrishnan,

Splunk automatic key value extraction stops ad spaces. That is why you may not see the full value in some fields. If you post a few sample events, I can suggest you an EXTRACT setting that you can add to your TrendmicroDDI sourcetype.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Yadukrishnan
Explorer
‎09-19-2022 04:30 AM

Hi @scelikok

Please see below the sample logs from DDI. 

 

Sep 19 08:33:17 host-XX-XX-XX-XX-XX.open.local CEF: 0|Trend Micro|Deep Discovery Inspector|6.2.XXXX|100119|SECURITY_RISK_DETECTION|2|ptype=IDS dvc=XX.XX.XXX.XXX deviceMacAddress=XX:XX:XX:XX:XX:XX dvchost=XXXX deviceGUID=XXXX-XXXX-XXXX-XXXX-XXXX rt=Sep 19 2022 08:33:10 GMT+03:00 appGroup=DNS Response app=DNS Response vLANId=4095 deviceDirection=1 dhost=XX.XX.XX.XX dst=XX.XX.XX.XX dpt=51330 dmac=XX:XX:XX:XX:XX:XX shost=XX.xx.com src=XX.XX.XX.XX spt=53 smac=XX:XX:XX:XX: cs3Label=HostName_Ext cs3=XX.xx.com malType=MALWARE fileType=-65536 fsize=0 ruleId=101 ruleName=DNS response resolves to dead IP address deviceRiskConfidenceLevel=2 cs8Label=BOT_URL cs8=7%3F01 cn3Label=Deep Discovery_PotentialRisk cn3=1 cs4Label=Deep Discovery_SrcGroup cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 cs9Label=Deep Discovery_DstGroup cs9=Default cs10Label=Deep Discovery_DstZone cs10=1 cs6Label=Deep Discovery_DetectionType cs6=1 pComp=NCIE act=not blocked cn4Label=Deep Discovery_ThreatType cn4=2 peerIp=XX.XX.XX.XX.XX interestedIp=XX.XX.XX.XX cnt=3 cn5Label=AggregatedCount cn5=1 evtCat=Suspicious Traffic evtSubCat=DNS cn2Label=APT Related cn2=0 externalId=47206390 compressedFileType=-65536 compressedFileHash=0000000000000000000000000000000000000000 hostSeverity=1 reason=["Domain: XX.XX.com"] devicePayloadId=2:47206390:

In the above logs, the one I have marked in Bold is the signature name. But in Splunk it is showing up as only DNS , none of the other values are showing up. Can you please help to solve this. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...