Views:

Background

Trend Micro Apex Central forwards Syslog messages in CEF format to Splunk, including quarantine attempts for malware detections. Multiple quarantine attempts for the same detection may appear as separate events with unique event IDs, causing excessive false positive alerts in Splunk.

Key Points

  • Unique event IDs are unique per log event, not per detection, thus cannot be used alone to correlate multiple quarantine attempts for the same detection.
  • Splunk correlation must rely on combining multiple fields and logic to identify related quarantine attempts.
  • Action result codes (cn2) indicate success or failure of quarantine actions.

Step-by-Step Solution for Splunk Correlation

1. Configure Trend Micro Apex Central Syslog Settings

  • Log in to Trend Micro Apex Central Web Console.
  • Navigate to Administration > Settings > Syslog Settings.
  • Set Log Format to CEF. For more details on supported log formats, see Supported Log Types and Formats.
  • Enable Security Logs including virus/malware detection logs.

2. Understand Action Result Codes

  • Success codes: 23 (File quarantined), 36 (Quarantined successfully).
  • Failure codes: 123, 129, 136, 139 (Unable to quarantine/clean).

3. Extract Correlation Fields in Splunk

Use Splunk rex commands to extract:

  • event ID (unique event ID)
  • cn2 (action result code)
  • fname (file name)
  • src or shost (source IP/host)
  • _time (event timestamp)

4. Implement Correlation Logic in Splunk

Create a saved search to:

  • Group events by fname and relevant identifiers (e.g., source IP)
  • Track all quarantine attempts per file
  • Identify if any success (cn2=23 or 36) exists among attempts
  • Suppress alerts for failed attempts if a success exists within a reasonable time window

Example SPL snippet:

index=apex_central sourcetype=syslog "CEF:" "Apex Central"
| rex "cn2=(?<actionCode>\\d+)"
| rex "fname=(?<fileName>\\S+)"
| eval actionStatus=case(
    actionCode=="23" OR actionCode=="36", "SUCCESS",
    actionCode=="123" OR actionCode=="129" OR actionCode=="136" OR actionCode=="139", "FAILED",
    true(), "OTHER"
)
| where actionStatus!="OTHER"
| stats values(actionStatus) as statuses, earliest(_time) as firstTime, latest(_time) as lastTime by fileName
| eval hasSuccess=if(mvfind(statuses, "SUCCESS")>=0, "true", "false")
| eval hasFailure=if(mvfind(statuses, "FAILED")>=0, "true", "false")
| where NOT (hasSuccess=="true" AND hasFailure=="true")

5. Adjust Alerting Logic

  • Configure alerts to trigger only when quarantine failures occur without subsequent success within a defined time window (e.g., 30 minutes).
  • Suppress alerts for failures followed by success to reduce noise.

6. Monitor and Validate

  • Create dashboards showing quarantine success vs failure trends.
  • Validate correlation by testing known cases where multiple attempts occur.

Additional Notes

  • The uniqueness of event IDs per event is by design and follows CEF standards.
  • The correlation and suppression logic must be implemented on the SIEM (Splunk) side.
  • Recent debug builds for ServerProtect for Storage (SPFS) improve logging clarity, especially for files inside ZIP archives, aiding correlation. For more information on debug logging, see Collecting ICAP debug logs in ServerProtect for Storage (SPFS).
  • If quarantine failures persist for local realtime or manual scans, additional debug builds and logs may be required.

References

Keywords: apex central syslog correlation, splunk quarantine alert optimization, cef format syslog logs, quarantine action result codes, splunk alert suppression logic, multiple quarantine attempts alerts, serverprotect storage debug build, syslog event correlation splunk