Initial version 1.5.2 by Mike Gibson

TrendMicroDeepSecurity/README

@@ -0,0 +1,15 @@
+Version 1.5.2: April 4, 2016
+- Fixed a typo in the transforms.conf for web reputation events. Credit to Chris Bell for reporting the error.
+
+Version 1.5.1: March 28, 2016
+- Fixed an issue with "Intrusion Prevention Rule Updated" events not having their sourcetype modified.
+- Fixed an issue where in some cases a space is included immediately after "CEF:" in the syslog output from Deep Security.
+- Removed all inputs from the application itself to make it compatible with Splunk Cloud and to follow Splunk best practices of monitoring files. 
+
+Version 1.5.0: March 27, 2016
+- Added a single UDP input to handle all Deep Security messages (UDP:1514). The sourcetype will be dynamically changed according to the event content.
+- Added "Firewall Events by Location" to the "Deep Security Firewall Dashboard" to map the source IP for Firewall events.
+- Added "Intrusion Prevention Events by Location" to the "Deep Security Intrusion Prevention Dashboard" to map the source IP for IPS events.
+
+Version 1.4.0: January 2, 2014
+- This is the initial release of the Trend Micro Deep Security for Splunk App.

TrendMicroDeepSecurity/default/app.conf

@@ -0,0 +1,19 @@
+#
+# Splunk app configuration file
+#
+
+[install]
+is_configured = 0
+install_source_checksum = 0a5c77e19202dea4453e003fdef6c9b47b2086aa
+
+[package]
+id = TrendMicroDeepSecurity
+
+[ui]
+is_visible = True
+label = Trend Micro Deep Security for Splunk
+
+[launcher]
+author = Mike Gibson ([email protected])
+description = Trend Micro Deep Security for Splunk
+version = 1.5.2

TrendMicroDeepSecurity/default/data/ui/nav/default.xml

@@ -0,0 +1,28 @@
+<nav color="#db3d44">
+	<view name="flashtimeline" default='true' />
+	<collection label="Dashboards">
+		<view name="deepsecurity_antimalware_dashboard" />
+		<view name="deepsecurity_firewall_dashboard" />
+		<view name="deepsecurity_ips_dashboard" />
+		<view name="deepsecurity_integritymonitoring_dashboard" />
+		<view name="deepsecurity_loginspection_dashboard" />
+        <view name="deepsecurity_webreputation_dashboard" />
+	</collection>
+	<collection label="Saved Searches">
+        <collection label="Security Events">
+            <saved source="unclassified" match="Deep Security - High Severity Events"/>
+            <saved source="unclassified" match="Deep Security - All Security Events" />
+            <collection label="Module Events">
+                <saved source="unclassified" match="Deep Security - Anti-Malware Events" />
+                <saved source="unclassified" match="Deep Security - Firewall Events" />
+			    <saved source="unclassified" match="Deep Security - Intrusion Prevention Events" />
+			    <saved source="unclassified" match="Deep Security - Integrity Monitoring Events" />
+			    <saved source="unclassified" match="Deep Security - Log Inspection Events" />
+			    <saved source="unclassified" match="Deep Security - Web Reputation Events" />
+            </collection>
+		</collection>
+        <collection label="System Events">
+            <saved source="unclassified" match="Deep Security - System Events" />
+        </collection>
+	</collection>
+</nav>

TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml

@@ -0,0 +1,70 @@
+<form>
+  <label>Deep Security Anti-Malware Dashboard</label>
+  <fieldset submitButton="false">
+    <input type="time" token="timeframe">
+      <label>Timeframe</label>
+      <default>
+        <earliestTime>-24h@h</earliestTime>
+        <latestTime>now</latestTime>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <chart>
+        <title>Anti-Malware Event History</title>
+        <searchString>sourcetype="deepsecurity-antimalware"| timechart count by act limit=10</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.text">Hour</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.text">Events</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">false</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Anti-Malware Status (Computers)</title>
+        <searchString>sourcetype="deepsecurity-antimalware"| top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Anti-Malware Status (Malware)</title>
+        <searchString>sourcetype="deepsecurity-antimalware"| top limit=5 cef_rulename | rename cef_rulename as "Malware Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+</form>

TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_firewall_dashboard.xml

@@ -0,0 +1,175 @@
+<form>
+  <label>Deep Security Firewall Dashboard</label>
+  <fieldset submitButton="false">
+    <input type="time" token="timeframe">
+      <label>Time Frame</label>
+      <default>
+        <earliestTime>-24h@h</earliestTime>
+        <latestTime>now</latestTime>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <map>
+        <title>Firewall Events by Location</title>
+        <search>
+          <query>sourcetype=deepsecurity-firewall src!="N/A" | iplocation src | geostats count by src globallimit=0 | sort -count</query>
+          <earliest>$timeframe.earliest$</earliest>
+          <latest>$timeframe.latest$</latest>
+        </search>
+        <option name="mapping.data.maxClusters">100</option>
+        <option name="mapping.map.center">(0,0)</option>
+        <option name="mapping.map.zoom">2</option>
+        <option name="mapping.markerLayer.markerMaxSize">50</option>
+        <option name="mapping.markerLayer.markerMinSize">10</option>
+        <option name="mapping.markerLayer.markerOpacity">0.8</option>
+        <option name="mapping.tileLayer.maxZoom">7</option>
+        <option name="mapping.tileLayer.minZoom">0</option>
+        <option name="drilldown">all</option>
+      </map>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Firewall Event History</title>
+        <searchString>sourcetype=deepsecurity-firewall | timechart count by act limit=10</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.text">Hour</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.text">Events</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">false</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Firewall Activity (Prevented)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="Deny"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Firewall Activity (Detected)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny"| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Firewall IP Activity (Prevented)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="Deny" src!="N/A"| top limit=5 src  | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Firewall IP Activity (Detected)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny" src!="N/A"| top limit=5 src | rename src AS "Source IP" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Firewall Computer Activity (Prevented)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="Deny" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Firewall Computer Activity (Detected)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny" | top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Firewall Port Activity (Prevented)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="Deny" dpt &gt; 0 dpt!="N/A"| top limit=5 dpt | rename dpt as "Destination Port" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Firewall Port Activity (Detected)</title>
+        <searchString>sourcetype=deepsecurity-firewall act="IDS:Deny" dpt &gt; 0 dpt!="N/A"| top limit=5 dpt | rename dpt as "Destination Port" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+</form>

TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_integritymonitoring_dashboard.xml

@@ -0,0 +1,70 @@
+<form>
+  <label>Deep Security Integrity Monitoring Dashboard</label>
+  <fieldset submitButton="false">
+    <input type="time" token="timeframe">
+      <label>Time Frame</label>
+      <default>
+        <earliestTime>-24h@h</earliestTime>
+        <latestTime>now</latestTime>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <chart>
+        <title>Integrity Monitoring Event History</title>
+        <searchString>sourcetype=deepsecurity-integrity_monitoring  | eval severity=case(cef_severity=3, "Low", cef_severity=6, "Medium", cef_severity=8, "High", cef_severity=10, "Critical")| timechart count by severity limit=10</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.text">Hour</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.text">Events</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">false</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Integrity Monitoring Activity</title>
+        <searchString>sourcetype=deepsecurity-integrity_monitoring| top limit=5 cef_rulename | rename cef_rulename AS "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Integrity Monitoring Computer Activity</title>
+        <searchString>sourcetype=deepsecurity-integrity_monitoring| top limit=5 dvchost | rename dvchost AS "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+</form>