All Apps and Add-ons

How to modify default fields in Trend Micro Deep Security for Splunk?

emixam3
Explorer

Hi,
I'm receiving syslog flow from Trend Micro Deep Security.
After installing the app for Splunk, I would like to check how the fields are populate by it. I've got an issue with the field "DPI_Reason", where I can find the Trend Micro rule number.
The field in the raw data is, for example, "502", but the field in splunk is "-502". And it only populate the field with default values like 502 or 504, not with custom rules like 1001234.

Thanks

Max

0 Karma

aakwah
Builder

Hello,

Make sure that Deep Security is sending syslog messages with Common Event Format (CEF) as syslog format.

On Deep Security web interface:

Administration -> System Settings -> SIEM -> Syslog Format (Common Event Format).

Hope this helps.

Regards

0 Karma

idurrani
New Member

Hello,

Deep Security manager is sending traffic to splunk and splunk is getting the events but not showing it on UI. For example I see DSM sending messages on UDP port 10702 that are received by Splunk but I can't see them. Splunk has the Deep Security manager app configured. Please help?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...