All Apps and Add-ons

Cisco Firepower eStreamer eNcore Add-on for Splunk Missing fields

_joe
Communicator

Hello All,

Using Splunk 8.0.5 and Cisco Firepower eStreamer eNcore Add-on for Splunk 3.6.8|4.0.7 (just finished installing it).  I was comparing ingests between Splunk and ArcSight and it would seem ArcSight has a few extra fields for certain rec_type=400 web events:

-             Request                                             <malicious URL>
-             requestContext                                 <Similar to the referrer>
-             requestClientApplication                 <Similar to User Agent>

ArcSight may be converting this from an additional payload field but I am having a hard time confirming how that is happening. For these events Splunk does receive an additional rec_type=110 with a type “HTTP URI” and an alphanumeric “data” field, but my events don’t include anything similar to a uri or referrer.

I was wondering if anyone else run across this?

 

 

Labels (1)
0 Karma

_joe
Communicator

As a follow up, I was able to start collecting packets and then use the Splunk Decrypt app to decode the payload. The packets will sometimes contain garbled Request/RequestContext information.

https://splunkbase.splunk.com/app/2655/

<search>
| rex field=packet "\'(?<clean_packet>[^']+)"
| decrypt field=clean_packet unhex() emit('packet_info')

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...