Help
FortiSIEM Discussions
george_omondi
New Contributor

Created on ‎04-16-2024 01:35 PM Edited on ‎04-16-2024 01:36 PM

FortiSIEM TrendMicro syslog Parser

Hi Guys,

 

So initially we were ingesting TrendMicro logs via the API but we were not getting anything meaningful so we switched to syslog and now we are getting somewhere. The problem is when we were using the API, the logs were being parsed well but when we switched to syslog then now nothing is being parsed it defaults to GenericCEFParser. below is a sample of the syslog we are getting. Any pointers will be appreciated 

 

 

<132>Apr 16 2024 19:55:02 172.x.x CEF:0|Trend Micro|Vision One|1.0.0|900002|Vision One Observed Attack Technique|5|rt=Apr 16 2024 19:45:28 act= app= cat=Device Access Violation cs1= cs2= dpt= dst= msg=A device access policy was violated. spt= src=dhost= shost= dvchost=DT00020679 request= cs1Label=MITRE Tactics IDs cs2Label=MITRE Technique IDs externalId=100112 deviceFacility=Standard Endpoint Protection deviceDirection= deviceExternalId= deviceProcessName=

 

 

G.O
G.O
185
0 Kudos
5 REPLIES 5
FSM_FTNT
Staff
Staff

Created on ‎04-17-2024 02:40 AM

Hi George, the Vision One integration and events pulled via the API are in a different format from the CEF events, there currently is no parser for the CEF format.

If you can elaborate on the issue with the API integration, we can see what improvements we can make. Would a remote session be quicker? If so, please message me directly, and we will have a look.

Thanks for the feedback.

144
0 Kudos
george_omondi
New Contributor

Created on ‎04-17-2024 06:35 AM

Hello,

Thank you for your timely response. Actually the limitation we were getting from the API integration is not from FortiSIEM but rather from TrendMicro. The free API connection only gives limited data that's not of any use to us and if we are to get more robust logs we are required to pay for the API which at the moment is not an option for us. We thought if we could get the logs via syslog would be much better. Seems we will have to re-strategize

G.O
G.O
136
0 Kudos
FSM_FTNT
Staff
Staff
In response to george_omondi

Created on ‎04-17-2024 06:41 AM

Can you private message me a broader sample of logs that you have exported out of your FSM in CSV format, I'll review them.

Is this what you configured in Vision One? https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-__syslog-forwarding-2

133
0 Kudos
george_omondi
New Contributor
In response to FSM_FTNT

Created on ‎04-17-2024 06:45 AM

yes that's what i configured. Sure let me send you a the csv

G.O
G.O
132
0 Kudos
FSM_FTNT
Staff
Staff
In response to george_omondi

Created on ‎04-18-2024 02:31 AM

Thanks for the info. We are looking into this

118
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.