From 79d9f661b74fa0a04a5d60b53e473947c3de1b99 Mon Sep 17 00:00:00 2001 From: Pedro Borges Date: Tue, 13 Sep 2022 13:44:45 -0600 Subject: [PATCH 1/4] added support for JSON format, fixed typos, took care of issue 8 --- .../deepsecurity_antimalware_dashboard.xml | 8 +- .../deepsecurity_appcontrol_dashboard.xml | 8 +- .../views/deepsecurity_firewall_dashboard.xml | 22 +-- ...security_integritymonitoring_dashboard.xml | 8 +- .../ui/views/deepsecurity_ips_dashboard.xml | 18 +-- .../deepsecurity_loginspection_dashboard.xml | 10 +- .../deepsecurity_webreputation_dashboard.xml | 8 +- .../default/eventtypes.conf | 26 +++- TrendMicroDeepSecurity/default/props.conf | 140 +++++++++++++++++- .../default/savedsearches.conf | 20 +-- TrendMicroDeepSecurity/default/tags.conf | 10 +- .../default/transforms.conf | 50 ++++++- 12 files changed, 264 insertions(+), 64 deletions(-) diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml index a78b7df..77958e0 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml @@ -14,7 +14,7 @@ Anti-Malware Event History - sourcetype=deepsecurity-antimalware | timechart count by act limit=10 + (sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) | timechart count by action limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -44,7 +44,7 @@ Anti-Malware Activity - sourcetype=deepsecurity-antimalware | top limit=5 cef_rulename | rename cef_rulename as "Malware Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) | top limit=5 signature | rename signature as "Malware Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -57,7 +57,7 @@
Anti-Malware Computer Activity - sourcetype=deepsecurity-antimalware | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -68,4 +68,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml index 9995492..9b27b7f 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml @@ -14,7 +14,7 @@ Application Control Event History - sourcetype=deepsecurity-app_control | timechart count by act limit=10 + (sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) | timechart count by action limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -44,7 +44,7 @@ Application Control Activity - sourcetype=deepsecurity-app_control | top limit=5 cef_rulename | rename cef_rulename as "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) | top limit=5 signature | rename signature as "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -57,7 +57,7 @@
Application Control Computer Activity - sourcetype=deepsecurity-app_control | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -68,4 +68,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml index 98d2981..8fcd018 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml @@ -15,7 +15,7 @@ Firewall Events by Location - sourcetype=deepsecurity-firewall src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count $timeframe.earliest$ $timeframe.latest$ @@ -35,7 +35,7 @@ Firewall Event History - sourcetype=deepsecurity-firewall | timechart count by act limit=10 + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) | timechart count by action limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -65,7 +65,7 @@ Firewall Activity (Prevented) - sourcetype=deepsecurity-firewall act="Deny"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked"| top limit=5 rule | rename rule AS "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -78,7 +78,7 @@
Firewall Activity (Detected) - sourcetype=deepsecurity-firewall act="IDS:Deny"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") | top limit=5 rule | rename rule AS "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -93,7 +93,7 @@
Firewall IP Activity (Prevented) - sourcetype=deepsecurity-firewall act="Deny" src!="N/A"| top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked" src!="N/A"| top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -106,7 +106,7 @@
Firewall IP Activity (Detected) - sourcetype=deepsecurity-firewall act="IDS:Deny" src!="N/A"| top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") src!="N/A" | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -121,7 +121,7 @@
Firewall Computer Activity (Prevented) - sourcetype=deepsecurity-firewall act="Deny" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -134,7 +134,7 @@
Firewall Computer Activity (Detected) - sourcetype=deepsecurity-firewall act="IDS:Deny" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -149,7 +149,7 @@
Firewall Port Activity (Prevented) - sourcetype=deepsecurity-firewall act="Deny" dpt > 0 dpt!="N/A"| top limit=5 dpt | rename dpt as "Destination Port" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) action="blocked" dest_port > 0 dest_port!="N/A"| top limit=5 dest_port | rename dest_port as "Destination Port" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -162,7 +162,7 @@
Firewall Port Activity (Detected) - sourcetype=deepsecurity-firewall act="IDS:Deny" dpt > 0 dpt!="N/A"| top limit=5 dpt | rename dpt as "Destination Port" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) (act="IDS:Deny" OR ActionString="Detect Only: Deny") dest_port > 0 dest_port!="N/A"| top limit=5 dest_port | rename dest_port as "Destination Port" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -173,4 +173,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml index 45d7c11..e183614 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml @@ -14,7 +14,7 @@ Integrity Monitoring Event History - sourcetype=deepsecurity-integrity_monitoring | eval severity=case(cef_severity=3, "Low", cef_severity=6, "Medium", cef_severity=8, "High", cef_severity=10, "Critical")| timechart count by severity limit=10 + (sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) | timechart count by severity limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -44,7 +44,7 @@ Integrity Monitoring Activity - sourcetype=deepsecurity-integrity_monitoring| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) | top limit=5 change_type | rename change_type AS "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -57,7 +57,7 @@
Integrity Monitoring Computer Activity - sourcetype=deepsecurity-integrity_monitoring| top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -68,4 +68,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_ips_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_ips_dashboard.xml index 89a2b29..8f782b2 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_ips_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_ips_dashboard.xml @@ -15,7 +15,7 @@ Intrusion Prevention Events by Location - sourcetype=deepsecurity-intrusion_prevention src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count $timeframe.earliest$ $timeframe.latest$ @@ -26,7 +26,7 @@ Intrusion Prevention Event History - sourcetype=deepsecurity-intrusion_prevention | timechart count by act limit=10 + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) | timechart count by action limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -56,7 +56,7 @@ IPS Activity (Prevented) - sourcetype=deepsecurity-intrusion_prevention act="Reset"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="Reset" OR ActionString="Reset") | top limit=5 signature | rename signature AS "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -69,7 +69,7 @@
IPS Activity (Detected) - sourcetype=deepsecurity-intrusion_prevention act="IDS:Reset"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="IDS:Reset" OR ActionString="Detect Only: Reset") | top limit=5 signature | rename signature AS "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -84,7 +84,7 @@
IPS IP Activity (Prevented) - sourcetype=deepsecurity-intrusion_prevention act="Reset" | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="Reset" OR ActionString="Reset") | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -97,7 +97,7 @@
IPS IP Activity (Detected) - sourcetype=deepsecurity-intrusion_prevention act="IDS:Reset" | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="IDS:Reset" OR ActionString="Detect Only: Reset") | top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -112,7 +112,7 @@
IPS Computer Activity (Prevented) - sourcetype=deepsecurity-intrusion_prevention act="Reset" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="Reset" OR ActionString="Reset") | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -125,7 +125,7 @@
IPS Computer Activity (Detected) - sourcetype=deepsecurity-intrusion_prevention act="IDS:Reset" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) (act="IDS:Reset" OR ActionString="Detect Only: Reset") | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -136,4 +136,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_loginspection_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_loginspection_dashboard.xml index 64b5caf..cb62a60 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_loginspection_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_loginspection_dashboard.xml @@ -14,7 +14,7 @@ Log Inspection Event History - sourcetype=deepsecurity-log_inspection | eval severity=case(cef_severity=3, "Low", cef_severity=6, "Medium", cef_severity=8, "High", cef_severity=10, "Critical")| timechart count by severity limit=10 + (sourcetype=deepsecurity-log_inspection OR sourcetype=deepsecurity-log_inspection:json) | timechart count by severity limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -44,7 +44,7 @@ Log Inspection Description Activity - sourcetype=deepsecurity-log_inspection | top limit=5 LI_Description | rename LI_Description AS "Event Description" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-log_inspection OR sourcetype=deepsecurity-log_inspection:json) | top limit=5 description | rename description AS "Event Description" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -57,7 +57,7 @@
Log Inspection Activity - sourcetype=deepsecurity-log_inspection| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-log_inspection OR sourcetype=deepsecurity-log_inspection:json) | top limit=5 signature | rename signature AS "Event Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -70,7 +70,7 @@
Log Inspection Computer Activity - sourcetype=deepsecurity-log_inspection| top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-log_inspection OR sourcetype=deepsecurity-log_inspection:json) | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -81,4 +81,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_webreputation_dashboard.xml b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_webreputation_dashboard.xml index c8ed425..3d36473 100644 --- a/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_webreputation_dashboard.xml +++ b/TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_webreputation_dashboard.xml @@ -15,7 +15,7 @@ Web Reputation Event History - sourcetype=deepsecurity-web_reputation| timechart count by msg limit=10 + (sourcetype=deepsecurity-web_reputation OR sourcetype=deepsecurity-web_reputation:json) | timechart count by msg limit=10 $timeframe.earliest$ $timeframe.latest$ @@ -45,7 +45,7 @@ Web Reputation URL Activity - sourcetype=deepsecurity-web_reputation| top limit=5 request | rename request AS "URL" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-web_reputation OR sourcetype=deepsecurity-web_reputation:json) | top limit=5 url | rename url AS "URL" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -58,7 +58,7 @@
Web Reputation Computer Activity - sourcetype=deepsecurity-web_reputation| top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total" + (sourcetype=deepsecurity-web_reputation OR sourcetype=deepsecurity-web_reputation:json) | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"$timeframe.earliest$$timeframe.latest$ @@ -69,4 +69,4 @@
- \ No newline at end of file + diff --git a/TrendMicroDeepSecurity/default/eventtypes.conf b/TrendMicroDeepSecurity/default/eventtypes.conf index 73880e2..cdf3da5 100644 --- a/TrendMicroDeepSecurity/default/eventtypes.conf +++ b/TrendMicroDeepSecurity/default/eventtypes.conf @@ -1,4 +1,28 @@ # Copyright 2018, Trend Micro [deepsecurity] -search = sourcetype=deepsecurity* \ No newline at end of file +search = sourcetype=deepsecurity* + +[deepsecurity-intrusion_prevention] +search = (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) + +[deepsecurity-antimalware] +search = (sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) + +[deepsecurity-integrity_monitoring] +search = (sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) + +[deepsecurity-web_reputation] +search = (sourcetype=deepsecurity-web_reputation OR sourcetype=deepsecurity-web_reputation:json) + +[deepsecurity-system_events] +search = (sourcetype=deepsecurity-system_events OR sourcetype=deepsecurity-system_events:json) + +[deepsecurity-firewall] +search = (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) + +[deepsecurity-log_inspection] +search = (sourcetype=deepsecurity-log_inspection OR sourcetype=deepsecurity-log_inspection:json) + +[deepsecurity-app_control] +search = (sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) diff --git a/TrendMicroDeepSecurity/default/props.conf b/TrendMicroDeepSecurity/default/props.conf index 0909c23..bb4e2f9 100644 --- a/TrendMicroDeepSecurity/default/props.conf +++ b/TrendMicroDeepSecurity/default/props.conf @@ -23,7 +23,7 @@ REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cef FIELDALIAS-Deep Security Firewall Field Aliases = TCP_Flags AS tcp_flag dmac AS dest_mac cef_rulename AS rule cef_ruleid AS rule_id dst AS dest_ip dpt AS dest_port dvchost AS dvc proto AS transport in AS bytes_in out AS bytes_out smac AS src_mac src AS src_ip spt AS src_port TrendMicroDsFrameType AS protocol cef_vendor AS vendor cef_product AS product # This transform won't be necessary in version 1.6 TRANSFORMS-changesourcetype = deepsecurity-intrusion_prevention -EVAL-action = case(act == "Deny", "dropped", act == "IDS:Deny", "allowed", act == "Log", "allowed") +EVAL-action = case(act == "Deny", "blocked", act == "IDS:Deny", "allowed", act == "Log", "allowed") EVAL-direction = case(in > 0, "inbound", out > 0, "outbound", 1=1, "unknown") KV_MODE = none @@ -42,7 +42,7 @@ KV_MODE = none NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 -FIELDALIAS-Deep Security Syetem Field Aliases = cef_vendor AS vendor cef_product AS product cef_ruleid AS rule_id +FIELDALIAS-Deep Security System Field Aliases = cef_vendor AS vendor cef_product AS product cef_ruleid AS rule_id REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom KV_MODE = none @@ -60,8 +60,9 @@ KV_MODE = none NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 -FIELDALIAS-Deep Security Log Inpsection Field Aliases = cef_vendor AS vendor cef_product AS product cef_ruleid AS rule_id +FIELDALIAS-Deep Security Log Inspection Field Aliases = cef_vendor AS vendor cef_product AS product cef_ruleid AS rule_id cef_rulename AS signature LI_Description AS description REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom +EVAL-severity = case(cef_severity=3, "low", cef_severity=6, "medium", cef_severity=8, "high", cef_severity=10, "critical") KV_MODE = none [deepsecurity-integrity_monitoring] @@ -70,6 +71,7 @@ SHOULD_LINEMERGE = false pulldown_type = 1 FIELDALIAS-Deep Security Integrity Monitoring Field Aliases = cef_vendor AS vendor cef_product AS product dvchost AS dvc cef_rulename AS change_type cef_ruleid AS rule_id EVAL-action = case(act == "created", "created", act == "deleted", "deleted", act == "renamed", "modified", act == "updated", "modified") +EVAL-severity = case(cef_severity=3, "low", cef_severity=6, "medium", cef_severity=8, "high", cef_severity=10, "critical") REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom KV_MODE = none @@ -77,7 +79,7 @@ KV_MODE = none NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 -FIELDALIAS-Deep Security Web Reptuation Field Aliases = cef_vendor AS vendor cef_product AS product request AS url dvchost AS src act AS action cef_ruleid AS rule_id +FIELDALIAS-Deep Security Web Reputation Field Aliases = cef_vendor AS vendor cef_product AS product request AS url dvchost AS src act AS action cef_ruleid AS rule_id REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom KV_MODE = none @@ -85,6 +87,134 @@ KV_MODE = none NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 -FIELDALIAS-Deep Security Application Control Aliases = cef_vendor AS vendor cef_product AS product dvchost AS src act AS action cef_ruleid AS rule_id +FIELDALIAS-Deep Security Application Control Aliases = cef_vendor AS vendor cef_product AS product dvchost AS src act AS action cef_ruleid AS rule_id cef_rulename AS signature REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom KV_MODE = none + +[deepsecurity:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +description = Sourcetype for Trend Micro data in JSON format received via SNS and Kinesis Firehose +category = Structured +INDEXED_EXTRACTIONS = json +TIMESTAMP_FIELDS = LogDate +TRANSFORMS-dvchost_json = deepsecurity-hostname_json +TRANSFORMS-ipsevents_json = deepsecurity-intrusion_prevention_json +TRANSFORMS-fwevents_json = deepsecurity-firewall_json +TRANSFORMS-antimalware_json = deepsecurity-antimalware_json +TRANSFORMS-system_events_json = deepsecurity-system_events_json +TRANSFORMS-integrity_monitoring_json = deepsecurity-integrity_monitoring_json +TRANSFORMS-log_inspection_json = deepsecurity-log_inspection_json +TRANSFORMS-web_reputation_json = deepsecurity-web_reputation_json +TRANSFORMS-app_control_json = deepsecurity-app_control_json +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-firewall:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_firewall_aliases = Flags AS tcp_flag Reason AS rule DestinationMAC AS dest_mac DestinationIP AS dest_ip DestinationPort AS dest_port DestinationIP AS dest PacketSize AS bytes SourceMAC AS src_mac SourceIP AS src_ip SourcePort AS src_port SourceIP AS src Hostname AS dvchost +EVAL-action = case(ActionString == "Deny", "blocked", 1=1, "allowed") +EVAL-direction = case(DirectionString = "Incoming", "inbound", DirectionString = "Outgoing", "outbound", 1=1, "unknown") +EVAL-transport = case(ProtocolString = "ICMP", "icmp", ProtocolString = "ICMPV6", "icmp", ProtocolString = "TCP", "tcp", ProtocolString = "UDP", "udp") +EVAL-bytes_in = case(DirectionString = "Incoming", PacketSize) +EVAL-bytes_out = case(DirectionString = "Outgoing", PacketSize) +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-intrusion_prevention:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_intrusion_prevention_aliases = Flags AS tcp_flag DestinationMAC AS dest_mac DestinationIP AS dest_ip DestinationPort AS dest_port SourceMAC AS src_mac SourceIP AS src_ip SourcePort AS src_port DestinationIP AS dest SourceIP AS src Reason AS signature ApplicationType AS category IPDatagramLength AS bytes Hostname AS dvchost +EVAL-direction = case(DirectionString = "Incoming", "inbound", DirectionString = "Outgoing", "outbound", 1=1, "unknown") +EVAL-severity = case(Severity = 1, "low", Severity = 2, "medium", Severity = 3, "high", Severity = 4, "critical") +EVAL-action = case(ActionString = "Deny", "blocked", ActionString = "Reset", "blocked", ActionString = "Log Only", "allowed", ActionString = "Detect Only: Deny", "allowed", ActionString = "Detect Only: Reset", "allowed", ActionString = "Detect Only: Insert", "allowed", ActionString = "Detect Only: Delete", "allowed", ActionString = "Detect Only: Replace", "allowed", ActionString = "Delete", "blocked", ActionString = "Replace", "blocked", ActionString = "Insert", "blocked", 1=1, "unknown") +EVAL-ids_type = "host" +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +EVAL-bytes_in = case(DirectionString = "Incoming", IPDatagramLength) +EVAL-bytes_out = case(DirectionString = "Outgoing", IPDatagramLength) +EVAL-transport = lower(ProtocolString) +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-system_events:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_system_events_aliases = ActionBy AS user TargetName AS dest Title AS signature +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-antimalware:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_antimalware_aliases = MajorVirusTypeString AS category host AS dest LogDate AS date MalwareName AS signature InfectedFilePath AS file_path FileSHA1 AS file_hash HostAgentVersion AS product_version Hostname AS dvchost +EVAL-action = case(ScanResultString == "Quarantined", "blocked", ScanResultString == "Deleted", "blocked", ScanResultString == "Cleaned", "blocked", ScanResultString == "Access Denied", "blocked", ScanResultString == "Passed", "allowed", ScanResultString == "Clean Failed", "deferred", ScanResultString == "Delete Failed", "deferred", ScanResultString == "Quarantine Failed", "deferred", 1=1, "unknown") +EXTRACT-antimalware_file_name = (?[^\\|\/]*$) in InfectedFilePath +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-log_inspection:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_log_inspection_aliases = host AS dest Reason AS signature Hostname AS dvchost OSSEC_Description AS description +EXTRACT-log_inspection_severity = (?^\w+) in SeverityString +EVAL-severity = lower(severity) +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-integrity_monitoring:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_integrity_monitoring_aliases = Reason AS change_type User AS user User AS src_user User AS user_name HostGUID AS object_id EntityType AS object_category Key AS object Hostname AS dvchost +EVAL-action = case(ChangeString == "Created", "created", ChangeString == "Deleted", "deleted", ChangeString == "Renamed", "modified", ChangeString == "Updated", "modified") +EVAL-severity = case(Severity = 1, "low", Severity = 2, "medium", Severity = 3, "high", Severity = 4, "critical") +EXTRACT-integrity_monitoring_object = ^(?.+?)(?=;|$| \-\>) in Key +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +EVAL-status = "success" +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-web_reputation:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_web_reputation_aliases = URL AS url host AS src Hostname AS dvchost RiskString AS msg +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +KV_MODE = none +AUTO_KV_JSON = false + +[deepsecurity-app_control:json] +NO_BINARY_CHECK = true +SHOULD_LINEMERGE = false +pulldown_type = 1 +FIELDALIAS-trend_micro_app_control_aliases = host AS src Action AS action Hostname AS dvchost Reason AS signature +EVAL-vendor = "Trend Micro" +EVAL-product = "Deep Security " + OriginString +EVAL-vendor_product = "Trend Micro Deep Security " + OriginString +KV_MODE = none +AUTO_KV_JSON = false diff --git a/TrendMicroDeepSecurity/default/savedsearches.conf b/TrendMicroDeepSecurity/default/savedsearches.conf index 67b7f69..edcefb7 100644 --- a/TrendMicroDeepSecurity/default/savedsearches.conf +++ b/TrendMicroDeepSecurity/default/savedsearches.conf @@ -7,7 +7,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Anti-Malware module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-antimalware +search = (sourcetype=deepsecurity-antimalware OR sourcetype=deepsecurity-antimalware:json) [Deep Security - Firewall Events] alert.suppress = 0 @@ -16,7 +16,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Firewall module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-firewall +search = (sourcetype=deepsecurity-firewall OR sourcetype=deepsecurity-firewall:json) [Deep Security - Integrity Monitoring Events] alert.digest_mode = True @@ -26,7 +26,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Integrity Monitoring module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-integrity_monitoring +search = (sourcetype=deepsecurity-integrity_monitoring OR sourcetype=deepsecurity-integrity_monitoring:json) [Deep Security - Log Inspection Events] alert.suppress = 0 @@ -35,7 +35,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Log Inspection module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-log_inspection +search = (sourcetype=deepsecurity-log_inspection OR sourcetype=deepsecurity-log_inspection:json) [Deep Security - Web Reputation Events] alert.suppress = 0 @@ -44,7 +44,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Web Reputation module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-web_reputation +search = (sourcetype=deepsecurity-web_reputation OR sourcetype=deepsecurity-web_reputation:json) [Deep Security - System Events] alert.suppress = 0 @@ -53,7 +53,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = System events generated by Deep Security dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-system_events +search = (sourcetype=deepsecurity-system_events OR sourcetype=deepsecurity-system_events:json) [Deep Security - All Security Events] alert.suppress = 0 @@ -62,7 +62,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = All events from Deep Security's modules dispatch.earliest_time = -1h -search = sourcetype=deepsecurity* sourcetype!=deepsecurity-system_events +search = sourcetype=deepsecurity* (sourcetype!=deepsecurity-system_events AND sourcetype!=deepsecurity-system_events:json) [Deep Security - Intrusion Prevention Events] alert.suppress = 0 @@ -71,7 +71,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Intrusion Prevention module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-intrusion_prevention +search = (sourcetype=deepsecurity-intrusion_prevention OR sourcetype=deepsecurity-intrusion_prevention:json) [Deep Security - High Severity Events] alert.suppress = 0 @@ -80,7 +80,7 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = All High and Critical severity events from Deep Security's modules dispatch.earliest_time = -1h -search = sourcetype=deepsecurity* sourcetype!=deepsecurity-system_events cef_severity > 7 +search = sourcetype=deepsecurity* (sourcetype!=deepsecurity-system_events AND sourcetype!=deepsecurity-system_events:json) (cef_severity > 7 OR severity="high" OR severity="critical") [Deep Security - Application Control Events] alert.suppress = 0 @@ -89,4 +89,4 @@ auto_summarize.dispatch.earliest_time = -1d@h cron_schedule = 0 0 * * * description = Events generated by Deep Security's Application Control module dispatch.earliest_time = -1h -search = sourcetype=deepsecurity-app_control +search = (sourcetype=deepsecurity-app_control OR sourcetype=deepsecurity-app_control:json) diff --git a/TrendMicroDeepSecurity/default/tags.conf b/TrendMicroDeepSecurity/default/tags.conf index 91e89dc..c7ead33 100644 --- a/TrendMicroDeepSecurity/default/tags.conf +++ b/TrendMicroDeepSecurity/default/tags.conf @@ -1,20 +1,20 @@ # Copyright 2018, Trend Micro -[sourcetype=deepsecurity-firewall] +[eventtype=deepsecurity-firewall] network = enabled communicate = enabled -[sourcetype=deepsecurity-intrusion_prevention] +[eventtype=deepsecurity-intrusion_prevention] ids = enabled attack = enabled -[sourcetype=deepsecurity-antimalware] +[eventtype=deepsecurity-antimalware] malware = enabled attack = enabled -[sourcetype=deepsecurity-integrity_monitoring] +[eventtype=deepsecurity-integrity_monitoring] change = enabled audit = enabled -[sourcetype=deepsecurity-web_reputation] +[eventtype=deepsecurity-web_reputation] web = enabled diff --git a/TrendMicroDeepSecurity/default/transforms.conf b/TrendMicroDeepSecurity/default/transforms.conf index ec4f060..1436e7f 100644 --- a/TrendMicroDeepSecurity/default/transforms.conf +++ b/TrendMicroDeepSecurity/default/transforms.conf @@ -4,7 +4,7 @@ REGEX = cs4=(?\d+)\s(?\d+) [deepsecurity-cefheaders] -REGEX = CEF:(?\d+)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*) +REGEX = CEF:(\s)?(?\d+)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*)\|(?[^|]*) [deepsecurity-cefkeys] REGEX = (?:_+)?(?<_KEY_1>[\w.:\[\]]+)=(?<_VAL_1>.*?(?=(?:\s[\w.:\[\]]+=|$))) @@ -54,4 +54,50 @@ DEST_KEY = MetaData:Sourcetype [deepsecurity-system_events] REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Manager\|([^|]*)\| FORMAT = sourcetype::deepsecurity-system_events -DEST_KEY = MetaData:Sourcetype \ No newline at end of file +DEST_KEY = MetaData:Sourcetype + + +[deepsecurity-hostname_json] +REGEX = "Hostname":"(\S+?)[\s|\"] +FORMAT = host::$1 +DEST_KEY = MetaData:Host + +[deepsecurity-intrusion_prevention_json] +REGEX = "EventType":"PayloadLog" +FORMAT = sourcetype::deepsecurity-intrusion_prevention:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-integrity_monitoring_json] +REGEX = "EventType":"IntegrityEvent" +FORMAT = sourcetype::deepsecurity-integrity_monitoring:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-log_inspection_json] +REGEX = "EventType":"LogInspectionEvent" +FORMAT = sourcetype::deepsecurity-log_inspection:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-web_reputation_json] +REGEX = "EventType":"WebReputationEvent" +FORMAT = sourcetype::deepsecurity-web_reputation:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-firewall_json] +REGEX = "EventType":"PacketLog" +FORMAT = sourcetype::deepsecurity-firewall:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-antimalware_json] +REGEX = "EventType":"AntiMalwareEvent" +FORMAT = sourcetype::deepsecurity-antimalware:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-app_control_json] +REGEX = "EventType":"AppControlEvent" +FORMAT = sourcetype::deepsecurity-app_control:json +DEST_KEY = MetaData:Sourcetype + +[deepsecurity-system_events_json] +REGEX = "EventType":"SystemEvent" +FORMAT = sourcetype::deepsecurity-system_events:json +DEST_KEY = MetaData:Sourcetype From adc9a4c0061572b4c42cccd1f69d1b7475b9688f Mon Sep 17 00:00:00 2001 From: Pedro Borges Date: Tue, 13 Sep 2022 14:12:25 -0600 Subject: [PATCH 2/4] fixed deepsecurity-cefcustom --- TrendMicroDeepSecurity/default/transforms.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/TrendMicroDeepSecurity/default/transforms.conf b/TrendMicroDeepSecurity/default/transforms.conf index 1436e7f..8a995fd 100644 --- a/TrendMicroDeepSecurity/default/transforms.conf +++ b/TrendMicroDeepSecurity/default/transforms.conf @@ -15,6 +15,8 @@ CLEAN_KEYS = 1 REGEX = (\S+)=([^=]*)\s+(?:\1Label)=([^=]+)(?:(?:\s\w+=)|$) FORMAT=$3::$2 KEEP_EMPTY_VALS=True +CLEAN_KEYS = 1 +REPEAT_MATCH = True [deepsecurity-intrusion_prevention] REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(10|[2-3][0-9][0-9]|[5-7][0-9][0-9]|8[0-4][0-9]|1[0-9][0-9][0-9][0-9][0-9][0-9])\| From 85f4971f3071a3586746211fb74665cffab9d4cd Mon Sep 17 00:00:00 2001 From: Pedro Borges Date: Tue, 13 Sep 2022 16:29:36 -0600 Subject: [PATCH 3/4] adding minor changes --- TrendMicroDeepSecurity/default/props.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TrendMicroDeepSecurity/default/props.conf b/TrendMicroDeepSecurity/default/props.conf index bb4e2f9..5b11a37 100644 --- a/TrendMicroDeepSecurity/default/props.conf +++ b/TrendMicroDeepSecurity/default/props.conf @@ -201,7 +201,7 @@ AUTO_KV_JSON = false NO_BINARY_CHECK = true SHOULD_LINEMERGE = false pulldown_type = 1 -FIELDALIAS-trend_micro_web_reputation_aliases = URL AS url host AS src Hostname AS dvchost RiskString AS msg +FIELDALIAS-trend_micro_web_reputation_aliases = URL AS url host AS src Hostname AS dvchost RiskString AS msg TargetIP AS dest_ip EVAL-vendor = "Trend Micro" EVAL-product = "Deep Security " + OriginString EVAL-vendor_product = "Trend Micro Deep Security " + OriginString @@ -212,7 +212,7 @@ AUTO_KV_JSON = false NO_BINARY_CHECK = true SHOULD_LINEMERGE = false pulldown_type = 1 -FIELDALIAS-trend_micro_app_control_aliases = host AS src Action AS action Hostname AS dvchost Reason AS signature +FIELDALIAS-trend_micro_app_control_aliases = host AS src Action AS signature Hostname AS dvchost Reason AS signature FileName AS object SHA1 AS file_hash OperationDesc AS action UserName AS user EVAL-vendor = "Trend Micro" EVAL-product = "Deep Security " + OriginString EVAL-vendor_product = "Trend Micro Deep Security " + OriginString From 91842384fee1c1fc7096e86330af44ef2987c953 Mon Sep 17 00:00:00 2001 From: Pedro Borges Date: Tue, 13 Sep 2022 16:33:57 -0600 Subject: [PATCH 4/4] fixing deep-security-icmp --- TrendMicroDeepSecurity/default/props.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TrendMicroDeepSecurity/default/props.conf b/TrendMicroDeepSecurity/default/props.conf index 5b11a37..dd75e42 100644 --- a/TrendMicroDeepSecurity/default/props.conf +++ b/TrendMicroDeepSecurity/default/props.conf @@ -4,7 +4,7 @@ NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 -REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom,deep-security-icmp +REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom,deepsecurity-icmp TRANSFORMS-ipsevents = deepsecurity-intrusion_prevention TRANSFORMS-fwevents = deepsecurity-firewall TRANSFORMS-antimalware = deepsecurity-antimalware @@ -19,7 +19,7 @@ KV_MODE = none NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false pulldown_type = 1 -REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom,deep-security-icmp +REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom,deepsecurity-icmp FIELDALIAS-Deep Security Firewall Field Aliases = TCP_Flags AS tcp_flag dmac AS dest_mac cef_rulename AS rule cef_ruleid AS rule_id dst AS dest_ip dpt AS dest_port dvchost AS dvc proto AS transport in AS bytes_in out AS bytes_out smac AS src_mac src AS src_ip spt AS src_port TrendMicroDsFrameType AS protocol cef_vendor AS vendor cef_product AS product # This transform won't be necessary in version 1.6 TRANSFORMS-changesourcetype = deepsecurity-intrusion_prevention