Hi Guys,
So initially we were ingesting TrendMicro logs via the API but we were not getting anything meaningful so we switched to syslog and now we are getting somewhere. The problem is when we were using the API, the logs were being parsed well but when we switched to syslog then now nothing is being parsed it defaults to GenericCEFParser. below is a sample of the syslog we are getting. Any pointers will be appreciated
<132>Apr 16 2024 19:55:02 172.x.x CEF:0|Trend Micro|Vision One|1.0.0|900002|Vision One Observed Attack Technique|5|rt=Apr 16 2024 19:45:28 act= app= cat=Device Access Violation cs1= cs2= dpt= dst= msg=A device access policy was violated. spt= src=dhost= shost= dvchost=DT00020679 request= cs1Label=MITRE Tactics IDs cs2Label=MITRE Technique IDs externalId=100112 deviceFacility=Standard Endpoint Protection deviceDirection= deviceExternalId= deviceProcessName=
Hi George, the Vision One integration and events pulled via the API are in a different format from the CEF events, there currently is no parser for the CEF format.
If you can elaborate on the issue with the API integration, we can see what improvements we can make. Would a remote session be quicker? If so, please message me directly, and we will have a look.
Thanks for the feedback.
Hello,
Thank you for your timely response. Actually the limitation we were getting from the API integration is not from FortiSIEM but rather from TrendMicro. The free API connection only gives limited data that's not of any use to us and if we are to get more robust logs we are required to pay for the API which at the moment is not an option for us. We thought if we could get the logs via syslog would be much better. Seems we will have to re-strategize
Can you private message me a broader sample of logs that you have exported out of your FSM in CSV format, I'll review them.
Is this what you configured in Vision One? https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-__syslog-forwarding-2
yes that's what i configured. Sure let me send you a the csv
Thanks for the info. We are looking into this
Hi Team,
Any progress on this?
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.