Hello All,
Using Splunk 8.0.5 and Cisco Firepower eStreamer eNcore Add-on for Splunk 3.6.8|4.0.7 (just finished installing it). I was comparing ingests between Splunk and ArcSight and it would seem ArcSight has a few extra fields for certain rec_type=400 web events:
- Request <malicious URL>
- requestContext <Similar to the referrer>
- requestClientApplication <Similar to User Agent>
ArcSight may be converting this from an additional payload field but I am having a hard time confirming how that is happening. For these events Splunk does receive an additional rec_type=110 with a type “HTTP URI” and an alphanumeric “data” field, but my events don’t include anything similar to a uri or referrer.
I was wondering if anyone else run across this?
As a follow up, I was able to start collecting packets and then use the Splunk Decrypt app to decode the payload. The packets will sometimes contain garbled Request/RequestContext information.
https://splunkbase.splunk.com/app/2655/
<search>
| rex field=packet "\'(?<clean_packet>[^']+)"
| decrypt field=clean_packet unhex() emit('packet_info')