Cisco Firepower eStreamer eNcore Add-on for Splunk...

_joe · ‎09-14-2020

Hello All,

Using Splunk 8.0.5 and Cisco Firepower eStreamer eNcore Add-on for Splunk 3.6.8|4.0.7 (just finished installing it). I was comparing ingests between Splunk and ArcSight and it would seem ArcSight has a few extra fields for certain rec_type=400 web events:

-             Request                                             <malicious URL>
-             requestContext                                 <Similar to the referrer>
-             requestClientApplication                 <Similar to User Agent>

ArcSight may be converting this from an additional payload field but I am having a hard time confirming how that is happening. For these events Splunk does receive an additional rec_type=110 with a type “HTTP URI” and an alphanumeric “data” field, but my events don’t include anything similar to a uri or referrer.

I was wondering if anyone else run across this?

_joe · ‎09-15-2020

As a follow up, I was able to start collecting packets and then use the Splunk Decrypt app to decode the payload. The packets will sometimes contain garbled Request/RequestContext information.

https://splunkbase.splunk.com/app/2655/

<search>
| rex field=packet "\'(?<clean_packet>[^']+)"
| decrypt field=clean_packet unhex() emit('packet_info')

Cisco Firepower eStreamer eNcore Add-on for Splunk Missing fields

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation