All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Firepower eStreamer eNcore Add-on for Splunk Missing fields

_joe
Contributor
‎09-14-2020 02:13 PM

Hello All,

Using Splunk 8.0.5 and Cisco Firepower eStreamer eNcore Add-on for Splunk 3.6.8|4.0.7 (just finished installing it).  I was comparing ingests between Splunk and ArcSight and it would seem ArcSight has a few extra fields for certain rec_type=400 web events:

-             Request                                             <malicious URL>
-             requestContext                                 <Similar to the referrer>
-             requestClientApplication                 <Similar to User Agent>

ArcSight may be converting this from an additional payload field but I am having a hard time confirming how that is happening. For these events Splunk does receive an additional rec_type=110 with a type “HTTP URI” and an alphanumeric “data” field, but my events don’t include anything similar to a uri or referrer.

I was wondering if anyone else run across this?

 

 

Labels (1)
Labels
0 Karma
Reply

_joe
Contributor
‎09-15-2020 08:30 AM

As a follow up, I was able to start collecting packets and then use the Splunk Decrypt app to decode the payload. The packets will sometimes contain garbled Request/RequestContext information.

https://splunkbase.splunk.com/app/2655/

<search>
| rex field=packet "\'(?<clean_packet>[^']+)"
| decrypt field=clean_packet unhex() emit('packet_info')

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...