Views:
The Trend Micro Cloud App Security Add-On for Splunk Enterprise allows you to retrieve Cloud Email and Collaboration Protection detection logs on the Splunk console.
Note
Note
The following instructions are based on the Splunk Server Enterprise 8.1.2 release. The Splunk settings may be different if you are using a different version of Splunk. Refer to the Splunk documentation for specific information related to your version.

Procedure

  1. Open the Splunk console.
  2. From the left Apps list, click Find More Apps to search for and install the Trend Micro Cloud App Security Add-On for Splunk Enterprise app.
  3. Configure the add-on settings.
    1. From the left Apps list of the Splunk console, locate and click Trend Micro Cloud App Security Add-On for Splunk Enterprise.
      The app configuration screen appears.
    2. (Optional) Click the Configuration tab, configure the proxy settings, and then click Save if your environment requires a proxy to connect to the Cloud Email and Collaboration Protection URL.
    3. Click the Inputs tab and then click Create New Input.
      The Add TMCAS Detection Logs screen appears.
    4. Specify the following fields:
      • Name: Type a unique name for this data input.
      • Interval: Specify log query interval in seconds. The interval must be at least 300.
      • Index: Set it to default.
      • Service URL: Service URL provided under AdministrationAutomation and Integration APIs on the Cloud Email and Collaboration Protection management console. The console logon URL is subject to where your Cloud Email and Collaboration Protection service is hosted.
      • Authentication Token: Authentication token created for the Log Retrieval API type under AdministrationAutomation and Integration APIs on the Cloud Email and Collaboration Protection management console.
      • Select the services to retrieve detection logs from Cloud Email and Collaboration Protection.
    5. Click Add.
  4. Configure the Splunk Dashboard settings.
    1. From the Splunk home screen, click Search & Reporting.
    2. Click the Dashboards tab.
    3. Click the Create New Dashboard button.
    4. Specify the Title and ID and click Create Dashboard.
      The Edit Dashboard screen opens.
    5. Click Source.
    6. Copy and paste the contents in Splunk dashboard configuration content to the Edit Dashboard screen.
    7. Click Save.
    The new dashboard appears in the Dashboards list and starts displaying the retrieved Cloud Email and Collaboration Protection detection logs.
    For details about the raw log data in Splunk, see Response Fields in Get security logs.
    Important
    Important
    After successfully installing the Splunk add-on, Splunk begins pulling new logs from Cloud Email and Collaboration Protection as detections occur. The add-on does not pull preexisting logs from Cloud Email and Collaboration Protection. You may need to allow some time before new logs start to appear.