Skip to content

Commit cc217fb

Browse files
chchhsiaoDeepSecurityOpenSourceSupport
chchhsiao
authored and
DeepSecurityOpenSourceSupport
committed
DS-22758 Use specific Device Product to distinguish system events
As system events will come from manager while all security events come from the agent, spcific the device product header to classify events. Besides, with the change, the filter for system event signatureID will no longer needed, just remove it to include all DSM events as system events.
1 parent be676e9 commit cc217fb

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

TrendMicroDeepSecurity/default/transforms.conf

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -15,36 +15,36 @@ FORMAT=$3::$2
1515
KEEP_EMPTY_VALS=True
1616

1717
[deepsecurity-intrusion_prevention]
18-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(10|[2-3][0-9][0-9]|[5-7][0-9][0-9]|8[0-4][0-9]|1[0-9][0-9][0-9][0-9][0-9][0-9])\|
18+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(10|[2-3][0-9][0-9]|[5-7][0-9][0-9]|8[0-4][0-9]|1[0-9][0-9][0-9][0-9][0-9][0-9])\|
1919
FORMAT = sourcetype::deepsecurity-intrusion_prevention
2020
DEST_KEY = MetaData:Sourcetype
2121

2222
[deepsecurity-integrity_monitoring]
23-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(30|2[0-9][0-9][0-9][0-9][0-9][0-9])\|
23+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(30|2[0-9][0-9][0-9][0-9][0-9][0-9])\|
2424
FORMAT = sourcetype::deepsecurity-integrity_monitoring
2525
DEST_KEY = MetaData:Sourcetype
2626

2727
[deepsecurity-log_inspection]
28-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(40|3[0-9][0-9][0-9][0-9][0-9][0-9])\|
28+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(40|3[0-9][0-9][0-9][0-9][0-9][0-9])\|
2929
FORMAT = sourcetype::deepsecurity-log_inspection
3030
DEST_KEY = MetaData:Sourcetype
3131

3232
[deepsecurity-web_reputation]
33-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(5[0-9][0-9][0-9][0-9][0-9][0-9])\|
33+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(5[0-9][0-9][0-9][0-9][0-9][0-9])\|
3434
FORMAT = sourcetype::deepsecurity-web_reputation
3535
DEST_KEY = MetaData:Sourcetype
3636

3737
[deepsecurity-firewall]
38-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(20|21|1[0-9][0-9])\|
38+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(20|21|1[0-9][0-9])\|
3939
FORMAT = sourcetype::deepsecurity-firewall
4040
DEST_KEY = MetaData:Sourcetype
4141

4242
[deepsecurity-antimalware]
43-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(4[0-9][0-9][0-9][0-9][0-9][0-9])\|
43+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(4[0-9][0-9][0-9][0-9][0-9][0-9])\|
4444
FORMAT = sourcetype::deepsecurity-antimalware
4545
DEST_KEY = MetaData:Sourcetype
4646

4747
[deepsecurity-system_events]
48-
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|([^|]*)\|([^|]*)\|(4[0-9][0-9]|85[0-4]|9[0-9][0-9]|[1-6][0-9][0-9][0-9]|7[0-4][0-9][0-9])\|
48+
REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Manager\|([^|]*)\|
4949
FORMAT = sourcetype::deepsecurity-system_events
5050
DEST_KEY = MetaData:Sourcetype

0 commit comments

Comments
 (0)