This is the unbelievably ridiculous content of eventtypes.conf
from the TA-FireEye_v3
app ( https://splunkbase.splunk.com/app/1904 😞
[eventtype=fe]
alert = enabled
attack = enabled
email = enabled
malware = enabled
operations = enabled
ids = enabled
network = enabled
session = enabled
start = enabled
end = enabled
dhcp = enabled
vpn = enabled
communicate = enabled
proxy = enabled
web = enabled
This creates pollution into the most common CIM Data Models, and is totally unacceptable. Surely I am not the only one who has run into this and has contemplated/completed fixing it. If you have anything to share, please post here or email/PM me.
OK, here is what I have done for now with my client (I am quite sure that he is not using all of the FireEye capabilites so this may not be enough for you/rs). Put these files in the local directory of TA-FireEye_v3
:
eventtypes.conf:
# Gregg Woodcock and Splunxter, Inc.
[fe_ips]
search = (( sourcetype = "fe_json_syslog" \
AND (category = "ips-event") ))
[fe_malware]
search = (( sourcetype = "fe_json_syslog" \
AND (category = "malware-object" \
OR category = "infection-match" \
OR category = "domain-match" \
OR category = "malware-callback") ))
tags.conf:
# Gregg Woodcock and Splunxter, Inc.
[eventtype=fe]
# OVERRIDE THE DEFAULT SETTINGS WHICH ARE TRASH!!!!
# https://answers.splunk.com/answers/711184/did-you-fix-the-fireeye-tas-eventtypesconf-if-so-p.html
alert = disabled
attack = disabled
communicate = disabled
dhcp = disabled
email = disabled
end = disabled
ids = disabled
malware = disabled
network = disabled
operations = disabled
proxy = disabled
session = disabled
start = disabled
vpn = disabled
web = disabled
[eventtype=fe_malware]
malware = enabled
attack = enabled
[eventtype=fe_ips]
ids = enabled
attack = enabled
OK, here is what I have done for now with my client (I am quite sure that he is not using all of the FireEye capabilites so this may not be enough for you/rs). Put these files in the local directory of TA-FireEye_v3
:
eventtypes.conf:
# Gregg Woodcock and Splunxter, Inc.
[fe_ips]
search = (( sourcetype = "fe_json_syslog" \
AND (category = "ips-event") ))
[fe_malware]
search = (( sourcetype = "fe_json_syslog" \
AND (category = "malware-object" \
OR category = "infection-match" \
OR category = "domain-match" \
OR category = "malware-callback") ))
tags.conf:
# Gregg Woodcock and Splunxter, Inc.
[eventtype=fe]
# OVERRIDE THE DEFAULT SETTINGS WHICH ARE TRASH!!!!
# https://answers.splunk.com/answers/711184/did-you-fix-the-fireeye-tas-eventtypesconf-if-so-p.html
alert = disabled
attack = disabled
communicate = disabled
dhcp = disabled
email = disabled
end = disabled
ids = disabled
malware = disabled
network = disabled
operations = disabled
proxy = disabled
session = disabled
start = disabled
vpn = disabled
web = disabled
[eventtype=fe_malware]
malware = enabled
attack = enabled
[eventtype=fe_ips]
ids = enabled
attack = enabled