Custom Decoder requirement for Trend Micro Deep Security
1,237 views
Skip to first unread message
Rahul
May 2, 2019, 3:00:21 AM5/2/19
to Wazuh mailing list
Dear All,
I am facing the challenges on Trend Micro Deep Security logs as i am not able to fully decode those log and corresponding rules.
it will be great help if anyone can share the decoder and rules set for the same sharing the log sample which are mentioned below.
Thanks for your help in advanced.
Apr 26 13:24:45 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:46 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (XXX-XX-32-XX) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|303|Computer Renamed|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=An existing computer was renamed from 10.3.16.10 to 10.3.16.81 in DSM based on changes reported by the Agent/Appliance. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|735|Misconfiguration Detected|6|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=An Agent/Appliance misconfiguration has been detected. The Agent/Appliance has been marked for update and will be updated during the next heartbeat. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|276|Update: Summary Information|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Also can you help me how to write the regex for the decoder for future endeavours.
Thanks
eva....@wazuh.com
May 3, 2019, 7:45:18 AM5/3/19
to Wazuh mailing list
Dear Rahul,
you can create and add new decoders and rules as described in our documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
To check if rules are working, you can use ossec-logtest. ossec-logtest allows to test and verify the decoders and rules using a provided log example in a way that simulates the action of ossec-analysisd.
More information about ossec-logtest can be found in the following link: https://documentation.wazuh.com/current/user-manual/reference/tools/ossec-logtest.html
The ossec-logtest without Trend Micro Deep Security rules is:
you can create and add new decoders and rules as described in our documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
To check if rules are working, you can use ossec-logtest. ossec-logtest allows to test and verify the decoders and rules using a provided log example in a way that simulates the action of ossec-analysisd.
More information about ossec-logtest can be found in the following link: https://documentation.wazuh.com/current/user-manual/reference/tools/ossec-logtest.html
The ossec-logtest without Trend Micro Deep Security rules is:
Apr 26 13:24:45 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
**Phase 1: Completed pre-decoding.
full event: 'Apr 26 13:24:45 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
timestamp: 'Apr 26 13:24:45'
hostname: 'DSM'
program_name: 'CEF'
log: '0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
**Phase 2: Completed decoding.
No decoder matched.
Notes that pre-decoding phase process the event and obtain full event, timestamp, hostname, program name, and log. You have to create decoders to match log.
Here is an example of decoder for Trend Micro Deep Security:
<decoder name="trend-micro-deep-security">
<program_name>CEF</program_name>
</decoder>
<decoder name="trend-micro-deep-security-default">
<parent>trend-micro-deep-security</parent>
<regex>\|(\d+)\|(\.+)\|(\d)\|src=(\S+) suser=(\S+) target=(\.+) msg=(\.+)</regex>
<order>id, action, level, srcip, srcuser, dstip, message</order>
</decoder>
And the rules could be the following:
<group name="trendMicroDeepSecurity">
<rule id="200000" level="0">
<decoded_as>trend-micro-deep-security</decoded_as>
<description>Trend Micro Deep Security messages grouped</description>
</rule>
<rule id="200001" level="3">
<if_sid>200000</if_sid>
<field name="level">3</field>
<description>Trend Micro Deep Security alert level 3</description>
</rule>
</group>
The ossec-logtest's output with the above examples will be:
full event: 'Apr 26 13:24:45 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
timestamp: 'Apr 26 13:24:45'
hostname: 'DSM'
program_name: 'CEF'
log: '0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
**Phase 2: Completed decoding.
No decoder matched.
Notes that pre-decoding phase process the event and obtain full event, timestamp, hostname, program name, and log. You have to create decoders to match log.
Here is an example of decoder for Trend Micro Deep Security:
<decoder name="trend-micro-deep-security">
<program_name>CEF</program_name>
</decoder>
<decoder name="trend-micro-deep-security-default">
<parent>trend-micro-deep-security</parent>
<regex>\|(\d+)\|(\.+)\|(\d)\|src=(\S+) suser=(\S+) target=(\.+) msg=(\.+)</regex>
<order>id, action, level, srcip, srcuser, dstip, message</order>
</decoder>
And the rules could be the following:
<group name="trendMicroDeepSecurity">
<rule id="200000" level="0">
<decoded_as>trend-micro-deep-security</decoded_as>
<description>Trend Micro Deep Security messages grouped</description>
</rule>
<rule id="200001" level="3">
<if_sid>200000</if_sid>
<field name="level">3</field>
<description>Trend Micro Deep Security alert level 3</description>
</rule>
</group>
The ossec-logtest's output with the above examples will be:
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
**Phase 1: Completed pre-decoding.
full event: 'Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
timestamp: 'Apr 26 13:24:47'
hostname: 'DSM'
program_name: 'CEF'
log: '0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
**Phase 2: Completed decoding.
decoder: 'trend-micro-deep-security'
id: '252'
action: 'Computer Updated'
level: '3'
srcip: 'X.X.X.X'
srcuser: 'System'
dstip: 'X.X.X.X (X.X.X.X )'
message: 'Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
**Phase 3: Completed filtering (rules).
Rule id: '200001'
Level: '3'
Description: 'Trend Micro Deep Security alert level 3'
**Alert to be generated.
To generates alert the rules level must be greater than two. You can find out more about the rules syntax following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
I hope this example helps you. If you have further questions, please let us know and we will help you.
You can also contribute to our ruleset repository: https://documentation.wazuh.com/current/user-manual/ruleset/contribute.html
Kind regards, Eva.
full event: 'Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
timestamp: 'Apr 26 13:24:47'
hostname: 'DSM'
program_name: 'CEF'
log: '0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
**Phase 2: Completed decoding.
decoder: 'trend-micro-deep-security'
id: '252'
action: 'Computer Updated'
level: '3'
srcip: 'X.X.X.X'
srcuser: 'System'
dstip: 'X.X.X.X (X.X.X.X )'
message: 'Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 '
**Phase 3: Completed filtering (rules).
Rule id: '200001'
Level: '3'
Description: 'Trend Micro Deep Security alert level 3'
**Alert to be generated.
To generates alert the rules level must be greater than two. You can find out more about the rules syntax following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
I hope this example helps you. If you have further questions, please let us know and we will help you.
You can also contribute to our ruleset repository: https://documentation.wazuh.com/current/user-manual/ruleset/contribute.html
Kind regards, Eva.
Rahul
May 6, 2019, 7:49:19 AM5/6/19
to Wazuh mailing list
Thanks for your update based on your decoder i tried to create decoder regex by myself but was not able to do for the below mentioned log, can you please help me writing the decoder for the below logs.
May 6 16:49:14 DSM CEF: 0|Trend Micro|Deep Security Agent|11.0.308|3002831|Unix - Syslog|8|cn1=281 cn1Label=Host ID dvc=XXXX TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=New group added to the system cs1Label=LI Description fname=/var/log/secure shost=XXX-XXX4 msg=May 6 16:49:14 XXXX-tXXX useradd[31802]: new group: name\=XXXXX_, GID\=1398
May 6 16:59:35 DSM CEF: 0|Trend Micro|Deep Security Agent|11.0.308|3002831|Unix - Syslog|10|cn1=186 cn1Label=Host ID dvc=XX.XX.XX TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=New user added to the system cs1Label=LI Description fname=/var/log/secure shost=XXX-XXX-XXX8 msg=May 6 16:59:33 XXX-XXX-XXX8 useradd[23945]: new user: name\=XXXX_, UID\=758, GID\=761, home\=/home/XXXX_, shell\=/bin/bash
May 6 16:53:04 DSM CEF: 0|Trend Micro|Deep Security Agent|11.0.308|2003533|Application - OpenSSH|6|cn1=264 cn1Label=Host ID dvc=XXXX TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=deleted filePath=sshd/5102 msg=When deleted the Process had the following attributes:\n\n Command Line: sshd: XXXXX [priv]\n Group: rXXX\n Parent: 25480\n Path: /usr/sbin/sshd\n Process: sshd\n User: XXXX\n
May 6 16:57:17 DSM CEF: 0|Trend Micro|Deep Security Agent|11.0.308|2008720|Users and Groups - Create and Delete Activity|6|cn1=1560 cn1Label=Host ID dvc=10.144.19.43 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=created filePath=XXXXXX_ msg=No description is available.
Miguel Ruiz
May 6, 2019, 9:44:17 AM5/6/19
to Wazuh mailing list
Hi Rahul,
I can see your logs use the CEF standard (Common Event Format):
CEF:Version|Device Vendor|Device Product|Device Version|Event Signature ID|Event Name|Severity|Extension
In this case, I would recommend using siblings decoders like in this example in order to obtain a decoded log with more details:
<decoder name="cef_trend_micro">
<program_name>CEF</program_name>
<prematch>0\|Trend Micro\|</prematch>
</decoder>
<!--
May 6 16:49:14 DSM CEF: 0|Trend Micro|Deep Security Agent|11.0.308|3002831|Unix - Syslog|8|cn1=281 cn1Label=Host ID dvc=XXXX TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=New group added to the system cs1Label=LI Description fname=/var/log/secure shost=XXX-XXX4 msg=May 6 16:49:14 XXXX-tXXX useradd[31802]: new group: name\=XXXXX_, GID\=1398
-->
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<prematch>Trend Micro\|Deep Security Agent\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\.+)\|\d+\|(\.+)\|\d+\|</regex>
<order>application,version,type</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>cn1=(\d+) cn1Label=Host ID </regex>
<order>hostID</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>dvc=(\.+) \w+=</regex>
<order>device</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>TrendMicroDsTenant=(\S+)</regex>
<order>tenant</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>TrendMicroDsTenantId=(\S+)</regex>
<order>tenantId</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>cs1=(\.+) cs1Label=LI Description </regex>
<order>desc</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>fname=(\S+) </regex>
<order>file_name</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>shost=(\S+)</regex>
<order>srchost</order>
</decoder>
<decoder name="cef_deep_security_agent">
<parent>cef_trend_micro</parent>
<regex>msg=(\.+)</regex>
<order>message</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<prematch>Trend Micro\|Deep Security Manager\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\.+)\|\d+\|(\.+)\|\d+\|</regex>
<order>application,version,type</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<regex>src=(\S+)</regex>
<order>hostID</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<regex>suser=(\S+)</regex>
<order>device</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<regex>target=(\.+) \w+=</regex>
<order>tenant</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<regex>msg=(\.+) \w+=</regex>
<order>tenant</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<regex>TrendMicroDsTenant=(\S+)</regex>
<order>tenant</order>
</decoder>
<decoder name="cef_deep_security_manager">
<parent>cef_trend_micro</parent>
<regex>TrendMicroDsTenantId=(\S+)</regex>
<order>tenantId</order>
</decoder>
<!--
Generic
May 6 16:49:14 DSM CEF: 0|Trend Micro|Deep Security Agent|11.0.308|3002831|Unix - Syslog|8| ...
-->
<decoder name="cef_trend_micro_generic">
<parent>cef_trend_micro</parent>
<regex>0\|Trend Micro\|(\.+)\|\.+\|\.+\|(\.+)\|\d+\|</regex>
<order>app,type</order>
</decoder>Sibling decoders allows you to split complex regex patterns into separated, smaller regex. It may look more complicated at first, but has a huge advantage: If one of your sibling decoder regex fails, the rest of the regex will continue decoding the log information.
The rule when creating siblings decoders is that they must share the same decoder_name and parent_decoder, and it is only necessary to indicate a prematch at the first of them.
In the above example, there is a parent decoder that matches all Trend Micro logs (CEF format).
After the parent, there are two groups of siblings decoders, one for 'Deep Security Agent' and another for 'Deep Security Manager' that will split the log extension. Using sibling decoders is the best way to proceed in cases like this when the log body is dynamic but very explicit, as in this case (field_name=field_value).
At the end, there is a 'generic' decoder, that will match all the Trend Micro CEF logs in case you have more applications you want to ingest but you haven't created especific decoders yet.
I suggest adding these logs at your custom decoder folder and using /var/ossec/bin/ossec-logtest to test if your log output would be the expected.
Let me know if you have any further questions.
Best regards,
Miguel
Gal Akavia
Apr 11, 2022, 11:33:20 AM4/11/22
to Wazuh mailing list
Hi Miguel,
I following your steps above, im using wazuh 4.1.5 all-in-one and im using trend micro apex central.
I'm a little stuck at the first step, i did the following but after tested it in wazuh-logtest there is none.
Must mention i tried more options to make the decoders work but Unsuccesfully..
Will appriciate any help! Thanks!
1.
Apex Central Intrusion Prevention CEF example:
CEF:0|Trend Micro|Apex Central|2019|Block|Intrusion Prevention|3|
devicePayloadId=3100D81Xx765-B80511EC-B9A7-D439-A1FD rt=Apr 11 2022 14:56:23 GMT+04:00 dvchost=TMEPSRV deviceFacility=Apex One
src=x.x.x.x TMCMLogDetectedIP=x.x.x.x TMCMLogDetectedHost=TestSRV dst=22.99.22.99 smac=22:22:22:22:22:22 spt=49157
dmac=11:11:11:11:11:11 dpt=60102 cn2Label=Mode cn2=0 act=Block deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=N/A
cn1Label=Rule cn1=0 cs1Label=Reason/Rule cs1=Invalid Flags cnt=1 ApexCentralHost=TM-AC deviceNtDomain=N/A dntdom=first OU\\OU1\\SubOU1\\
devicePayloadId=3100D81Xx765-B80511EC-B9A7-D439-A1FD rt=Apr 11 2022 14:56:23 GMT+04:00 dvchost=TMEPSRV deviceFacility=Apex One
src=x.x.x.x TMCMLogDetectedIP=x.x.x.x TMCMLogDetectedHost=TestSRV dst=22.99.22.99 smac=22:22:22:22:22:22 spt=49157
dmac=11:11:11:11:11:11 dpt=60102 cn2Label=Mode cn2=0 act=Block deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=N/A
cn1Label=Rule cn1=0 cs1Label=Reason/Rule cs1=Invalid Flags cnt=1 ApexCentralHost=TM-AC deviceNtDomain=N/A dntdom=first OU\\OU1\\SubOU1\\
2. decoder >>
<decoder name="cef_trend_micro">
<program_name>CEF</program_name>
<prematch>0\|Trend Micro\|</prematch>
</decoder>
<program_name>CEF</program_name>
<prematch>0\|Trend Micro\|</prematch>
</decoder>
<decoder name="cef_apex_central">
<parent>cef_trend_micro</parent>
<prematch>Trend Micro\|Apex Central\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\d+)\|</regex>
<order>application,version,type</order>
</decoder>
<parent>cef_trend_micro</parent>
<prematch>Trend Micro\|Apex Central\|</prematch>
<regex>^0\|Trend Micro\|(\.+)\|(\d+)\|</regex>
<order>application,version,type</order>
</decoder>
3. wazuh-logtest >>
Yana Zaeva
Apr 12, 2022, 4:54:38 AM4/12/22
to Wazuh mailing list
Hi,
The decoder sent above will work for these types of logs:
Apr 26 13:24:45 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|720|Policy Sent|3|src=X.X.X.X suser=System target=X.X.X.X (PP-XXX-XXX) msg=The policy (fingerprint 88:3B:28:7A:96:89:C9:93:60:13:C8:DA:86:EF:38:C2:2A:60:CA:6F) was successfully sent to the agent. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:46 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (XXX-XX-32-XX) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|252|Computer Updated|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|303|Computer Renamed|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=An existing computer was renamed from 10.3.16.10 to 10.3.16.81 in DSM based on changes reported by the Agent/Appliance. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|735|Misconfiguration Detected|6|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=An Agent/Appliance misconfiguration has been detected. The Agent/Appliance has been marked for update and will be updated during the next heartbeat. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
Apr 26 13:24:47 DSM CEF: 0|Trend Micro|Deep Security Manager|11.0.308|276|Update: Summary Information|3|src=X.X.X.X suser=System target=X.X.X.X (X.X.X.X ) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0
However, the log you sent is following another structure, so you will have to use other decoders. I have written some for the log you sent above, feel free to use them:
<decoder name="cef_trend_micro">
<prematch>^CEF</prematch>
</decoder>
<decoder name="cef_apex_child">
<parent>cef_trend_micro</parent>
<regex>^CEF:0\|Trend Micro\|(\.+)\|(\d+)\|(\.+)\|(\.+)\|(\d+)\|</regex>
<order>device_product, device_version, event_signature_id, event_name, severity</order>
</decoder>
<decoder name="cef_apex_child">
<parent>cef_trend_micro</parent>
<regex offset="after_regex">devicePayloadId=(\w+) rt=(\w+ \d+ \d+ \d\d:\d\d:\d\d \w+\p\d\d:\d\d) dvchost=(\w+) deviceFacility=(\.+) src=(\d+.\d+.\d+.\d+) TMCMLogDetectedIP=(\d+.\d+.\d+.\d+) TMCMLogDetectedHost=(\w+) </regex>
<order>device_payload_id, rt, dvchost, device_facility, src, tmcm_log_detected_ip, tmcm_log_detected_host</order>
</decoder>
<decoder name="cef_apex_child">
<parent>cef_trend_micro</parent>
<regex offset="after_regex">dst=(\d+.\d+.\d+.\d+) smac=(\S+) spt=(\d+) dmac=(\S+) dpt=(\d+) cn2Label=(\w+) cn2=(\d+) act=(\w+) deviceDirection=(\w+) cn3Label=(\w+) cn3=(\d+) cn4Label=(\w+) </regex>
<order>dst, smac, spt, dmac, dpt, cn2_label, cn2, act, device_direction, cn3_label, cn3, cn4_label</order>
</decoder>
<decoder name="cef_apex_child">
<parent>cef_trend_micro</parent>
<regex offset="after_regex">cn4=(\d+) proto=(\d+) cs2Label=(\w+) cs2=(\S+) cn1Label=(\w+) cn1=(\d+) cs1Label=(\S+) cs1=(\.+) cnt=(\d+) </regex>
<order>cn4, proto, cs2_label, cs2, cn1_label, cn1, cs1_label, cs1, cnt</order>
</decoder>
<decoder name="cef_apex_child">
<parent>cef_trend_micro</parent>
<regex offset="after_regex">ApexCentralHost=(\w+) deviceNtDomain=(\S+) dntdom=(\.+)</regex>
<order>apex_central_host, device_nt_domain, dntdom</order>
</decoder>
Here you can check the output:
CEF:0|Trend Micro|Apex Central|2019|Block|Intrusion Prevention|3|devicePayloadId=3100D81Xx765-B80511EC-B9A7-D439-A1FD rt=Apr 11 2022 14:56:23 GMT+04:00 dvchost=TMEPSRV deviceFacility=Apex One src=1.1.1.1 TMCMLogDetectedIP=1.1.1.1 TMCMLogDetectedHost=TestSRV dst=22.99.22.99 smac=22:22:22:22:22:22 spt=49157 dmac=11:11:11:11:11:11 dpt=60102 cn2Label=Mode cn2=0 act=Block deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=N/A cn1Label=Rule cn1=0 cs1Label=Reason/Rule cs1=Invalid Flags cnt=1 ApexCentralHost=TM-AC deviceNtDomain=N/A dntdom=first OU\\OU1\\SubOU1\\
**Phase 1: Completed pre-decoding.
full event: 'CEF:0|Trend Micro|Apex Central|2019|Block|Intrusion Prevention|3|devicePayloadId=3100D81Xx765-B80511EC-B9A7-D439-A1FD rt=Apr 11 2022 14:56:23 GMT+04:00 dvchost=TMEPSRV deviceFacility=Apex One src=1.1.1.1 TMCMLogDetectedIP=1.1.1.1 TMCMLogDetectedHost=TestSRV dst=22.99.22.99 smac=22:22:22:22:22:22 spt=49157 dmac=11:11:11:11:11:11 dpt=60102 cn2Label=Mode cn2=0 act=Block deviceDirection=Inbound cn3Label=Priority cn3=100 cn4Label=Severity cn4=4 proto=10003 cs2Label=Application_Type cs2=N/A cn1Label=Rule cn1=0 cs1Label=Reason/Rule cs1=Invalid Flags cnt=1 ApexCentralHost=TM-AC deviceNtDomain=N/A dntdom=first OU\\OU1\\SubOU1\\'
**Phase 2: Completed decoding.
name: 'cef_trend_micro'
act: 'Block'
apex_central_host: 'TM-AC'
cn1: '0'
cn1_label: 'Rule'
cn2: '0'
cn2_label: 'Mode'
cn3: '100'
cn3_label: 'Priority'
cn4: '4'
cn4_label: 'Severity'
cnt: '1'
cs1: 'Invalid Flags'
cs1_label: 'Reason/Rule'
cs2: 'N/A'
cs2_label: 'Application_Type'
device_direction: 'Inbound'
device_facility: 'Apex One'
device_nt_domain: 'N/A'
device_payload_id: '3100D81Xx765-B80511EC-B9A7-D439-A1FD'
device_product: 'Apex Central'
device_version: '2019'
dmac: '11:11:11:11:11:11'
dntdom: 'first OU\\OU1\\SubOU1\\'
dpt: '60102'
dst: '22.99.22.99'
dvchost: 'TMEPSRV'
event_name: 'Intrusion Prevention'
event_signature_id: 'Block'
proto: '10003'
rt: 'Apr 11 2022 14:56:23 GMT+04:00'
severity: '3'
smac: '22:22:22:22:22:22'
spt: '49157'
src: '1.1.1.1'
tmcm_log_detected_host: 'TestSRV'
tmcm_log_detected_ip: '1.1.1.1'
Hope this was helpful. Let us know if you need anything else.
Regards,
Yana.
Reply all
Reply to author
Forward
0 new messages