DS-23230 Support applciation control

1. Add index for application control events.
2. Create dashboard and saved search for application control events.
3. Consist the label/title cross dashboards

Author: chchhsiao

TrendMicroDeepSecurity/default/data/ui/nav/default.xml

@@ -1,28 +1,30 @@
 <nav color="#db3d44">
-	<view name="flashtimeline" default='true' />
-	<collection label="Dashboards">
-		<view name="deepsecurity_antimalware_dashboard" />
-		<view name="deepsecurity_firewall_dashboard" />
-		<view name="deepsecurity_ips_dashboard" />
-		<view name="deepsecurity_integritymonitoring_dashboard" />
-		<view name="deepsecurity_loginspection_dashboard" />
+    <view name="flashtimeline" default='true' />
+    <collection label="Dashboards">
+        <view name="deepsecurity_antimalware_dashboard" />
+        <view name="deepsecurity_appcontrol_dashboard" />
+        <view name="deepsecurity_firewall_dashboard" />
+        <view name="deepsecurity_ips_dashboard" />
+        <view name="deepsecurity_integritymonitoring_dashboard" />
+        <view name="deepsecurity_loginspection_dashboard" />
         <view name="deepsecurity_webreputation_dashboard" />
-	</collection>
-	<collection label="Saved Searches">
+    </collection>
+    <collection label="Saved Searches">
         <collection label="Security Events">
             <saved source="unclassified" match="Deep Security - High Severity Events"/>
             <saved source="unclassified" match="Deep Security - All Security Events" />
             <collection label="Module Events">
                 <saved source="unclassified" match="Deep Security - Anti-Malware Events" />
+                <saved source="unclassified" match="Deep Security - Application Control Events" />
                 <saved source="unclassified" match="Deep Security - Firewall Events" />
-			    <saved source="unclassified" match="Deep Security - Intrusion Prevention Events" />
-			    <saved source="unclassified" match="Deep Security - Integrity Monitoring Events" />
-			    <saved source="unclassified" match="Deep Security - Log Inspection Events" />
-			    <saved source="unclassified" match="Deep Security - Web Reputation Events" />
+                <saved source="unclassified" match="Deep Security - Intrusion Prevention Events" />
+                <saved source="unclassified" match="Deep Security - Integrity Monitoring Events" />
+                <saved source="unclassified" match="Deep Security - Log Inspection Events" />
+                <saved source="unclassified" match="Deep Security - Web Reputation Events" />
             </collection>
-		</collection>
+        </collection>
         <collection label="System Events">
             <saved source="unclassified" match="Deep Security - System Events" />
         </collection>
-	</collection>
+    </collection>
 </nav>

TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_antimalware_dashboard.xml

@@ -2,7 +2,7 @@
   <label>Deep Security Anti-Malware Dashboard</label>
   <fieldset submitButton="false">
     <input type="time" token="timeframe">
-      <label>Timeframe</label>
+      <label>Time Frame</label>
       <default>
         <earliestTime>-24h@h</earliestTime>
         <latestTime>now</latestTime>
@@ -13,7 +13,7 @@
     <panel>
       <chart>
         <title>Anti-Malware Event History</title>
-        <searchString>sourcetype="deepsecurity-antimalware"| timechart count by act limit=10</searchString>
+        <searchString>sourcetype=deepsecurity-antimalware | timechart count by act limit=10</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
@@ -42,8 +42,8 @@
   <row>
     <panel>
       <table>
-        <title>Anti-Malware Status (Computers)</title>
-        <searchString>sourcetype="deepsecurity-antimalware"| top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <title>Anti-Malware Activity</title>
+        <searchString>sourcetype=deepsecurity-antimalware | top limit=5 cef_rulename | rename cef_rulename as "Malware Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>
@@ -55,8 +55,8 @@
     </panel>
     <panel>
       <table>
-        <title>Anti-Malware Status (Malware)</title>
-        <searchString>sourcetype="deepsecurity-antimalware"| top limit=5 cef_rulename | rename cef_rulename as "Malware Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <title>Anti-Malware Computer Activity</title>
+        <searchString>sourcetype=deepsecurity-antimalware | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
         <earliestTime>$timeframe.earliest$</earliestTime>
         <latestTime>$timeframe.latest$</latestTime>
         <option name="wrap">true</option>

TrendMicroDeepSecurity/default/data/ui/views/deepsecurity_appcontrol_dashboard.xml

@@ -0,0 +1,70 @@
+<form>
+  <label>Deep Security Application Control Dashboard</label>
+  <fieldset submitButton="false">
+    <input type="time" token="timeframe">
+      <label>Time Frame</label>
+      <default>
+        <earliestTime>-24h@h</earliestTime>
+        <latestTime>now</latestTime>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <chart>
+        <title>Application Control Event History</title>
+        <searchString>sourcetype=deepsecurity-app_control | timechart count by act limit=10</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.text">Hour</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.text">Events</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">false</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Application Control Activity</title>
+        <searchString>sourcetype=deepsecurity-app_control | top limit=5 cef_rulename | rename cef_rulename as "Event Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Application Control Computer Activity</title>
+        <searchString>sourcetype=deepsecurity-app_control | top limit=5 dvchost | rename dvchost as "Computer Name" count AS "Event Count" percent AS "Percent of Total"</searchString>
+        <earliestTime>$timeframe.earliest$</earliestTime>
+        <latestTime>$timeframe.latest$</latestTime>
+        <option name="wrap">true</option>
+        <option name="rowNumbers">false</option>
+        <option name="dataOverlayMode">none</option>
+        <option name="drilldown">cell</option>
+        <option name="count">10</option>
+      </table>
+    </panel>
+  </row>
+</form>

TrendMicroDeepSecurity/default/props.conf

@@ -10,6 +10,7 @@ TRANSFORMS-system_events = deepsecurity-system_events
 TRANSFORMS-integrity_monitoring = deepsecurity-integrity_monitoring
 TRANSFORMS-log_inspection = deepsecurity-log_inspection
 TRANSFORMS-web_reputation = deepsecurity-web_reputation
+TRANSFORMS-app_control = deepsecurity-app_control
 KV_MODE = none
 
 [deepsecurity-firewall]
@@ -77,3 +78,11 @@ pulldown_type = 1
 FIELDALIAS-Deep Security Web Reptuation Field Aliases = cef_vendor AS vendor cef_product AS product request AS url dvchost AS src act AS action cef_ruleid AS rule_id
 REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom
 KV_MODE = none
+
+[deepsecurity-app_control]
+NO_BINARY_CHECK = 1
+SHOULD_LINEMERGE = false
+pulldown_type = 1
+FIELDALIAS-Deep Security Application Control Aliases = cef_vendor AS vendor cef_product AS product dvchost AS src act AS action cef_ruleid AS rule_id
+REPORT-cefevents = deepsecurity-cefheaders,deepsecurity-cefkeys,deepsecurity-cefcustom
+KV_MODE = none

TrendMicroDeepSecurity/default/savedsearches.conf

@@ -79,3 +79,12 @@ cron_schedule = 0 0 * * *
 description = All High and Critical severity events from Deep Security's modules
 dispatch.earliest_time = -1h
 search = sourcetype=deepsecurity* NOT deepsecurity-system_events cef_severity > 7
+
+[Deep Security - Application Control Events]
+alert.suppress = 0
+alert.track = 0
+auto_summarize.dispatch.earliest_time = -1d@h
+cron_schedule = 0 0 * * *
+description = Events generated by Deep Security's Application Control module
+dispatch.earliest_time = -1h
+search = sourcetype=deepsecurity-app_control

TrendMicroDeepSecurity/default/transforms.conf

@@ -44,6 +44,11 @@ REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(4[0-9][0-9][0-9]
 FORMAT = sourcetype::deepsecurity-antimalware
 DEST_KEY = MetaData:Sourcetype
 
+[deepsecurity-app_control]
+REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Agent\|([^|]*)\|(6[0-9][0-9][0-9][0-9][0-9][0-9])\|
+FORMAT = sourcetype::deepsecurity-app_control
+DEST_KEY = MetaData:Sourcetype
+
 [deepsecurity-system_events]
 REGEX = CEF:(\s)?(\d+)\|([^|]*)\|Deep Security Manager\|([^|]*)\|
 FORMAT = sourcetype::deepsecurity-system_events