The Trend Micro Cloud App Security Add-On for Splunk
Enterprise allows you to retrieve Cloud Email and Collaboration
Protection detection logs on the Splunk console.
NoteThe following instructions are based on the Splunk Server Enterprise
8.1.2 release. The Splunk settings may be different if you are using a different
version of Splunk. Refer to the Splunk documentation for specific information
related to your version.
|
Procedure
- Open the Splunk console.
- From the left Apps list, click Find More Apps to search for and install the Trend Micro Cloud App Security Add-On for Splunk Enterprise app.
- Configure the add-on settings.
- From the left Apps list of the Splunk console,
locate and click Trend Micro Cloud App Security Add-On for
Splunk Enterprise.The app configuration screen appears.
- (Optional) Click the Configuration tab, configure the proxy settings, and then click Save if your environment requires a proxy to connect to the Cloud Email and Collaboration Protection URL.
- Click the Inputs tab and then click
Create New Input.The Add TMCAS Detection Logs screen appears.
- Specify the following fields:
-
Name: Type a unique name for this data input.
-
Interval: Specify log query interval in seconds. The interval must be at least 300.
-
Index: Set it to default.
-
Service URL: Service URL provided under Cloud Email and Collaboration Protection management console. The console logon URL is subject to where your Cloud Email and Collaboration Protection service is hosted.on the
-
Authentication Token: Authentication token created for the Log Retrieval API type under Cloud Email and Collaboration Protection management console.on the
-
Select the services to retrieve detection logs from Cloud Email and Collaboration Protection.
-
- Click Add.
- From the left Apps list of the Splunk console,
locate and click Trend Micro Cloud App Security Add-On for
Splunk Enterprise.
- Configure the Splunk Dashboard settings.
- From the Splunk home screen, click Search & Reporting.
- Click the Dashboards tab.
- Click the Create New Dashboard button.
- Specify the Title and ID
and click Create Dashboard.The Edit Dashboard screen opens.
- Click Source.
- Copy and paste the contents in Splunk dashboard configuration content to the Edit Dashboard screen.
- Click Save.
The new dashboard appears in the Dashboards list and starts displaying the retrieved Cloud Email and Collaboration Protection detection logs.For details about the raw log data in Splunk, see Response Fields in Get security logs.Important
After successfully installing the Splunk add-on, Splunk begins pulling new logs from Cloud Email and Collaboration Protection as detections occur. The add-on does not pull preexisting logs from Cloud Email and Collaboration Protection. You may need to allow some time before new logs start to appear.