Trend Micro Deep Security for Splunk App

chclloydmercer · ‎01-11-2019

We have Deep Security SaaS and wish to forward events to Splunk Cloud.
I configured as follows:

Deep SaaS forward all events to AWS SNS topic
Created SQS queue and subscribed to the above
Configured an input on existing heavy forwarder (Splunk add-on for AWS) to pick up the SQS messages and tag a source type of "deepsecurity" and forward to splunk cloud

I have 2 issues:

Deep Security App dashboards are empty, this is due to the sourcetype being deepsecurity and not what it expects for example deepsecurity-antimalware, does anyone know how best to tag the correct sourcetypes.
It appears that when sent via SNS that multiple events are bundled into one message, can anyone suggest how to separate them when using the SaaS ==> SNS ==> SQS ==>HF ==> Splunk cloud route.

Ultimately i'm also open to any ideas on how best to send the messages from DSaaS to Splunk Cloud, we'd prefer not to use syslog due to the need to expose a public facing endpoint.

skp2094 · ‎10-05-2021

Hi Sir/Madam

Could you pleases help me out from the same problem? Very important for me

chclloydmercer · ‎01-16-2019

In the end, instead of using SQS to process the messages we used a python based lambda function to split the events and send to the Splunk HEC where the sourcetype was applied.

The dashboards were empty due to Field transformations expecting CEF based events, this is not the case when delivered by SNS so modification of the RegEx was required.

Trend Micro Deep Security for Splunk App

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life