Re: FireEye app and eMPS

hcpr · ‎04-24-2014

Hi.

I hope someone has had success with this. I've gotten the FireEye app up and working with the xml alerts from our WebMPS, so I added reporting from our email MPS.
The data shows up in Splunk, but the FireEye app does not see this data for some reason.
I haven't started digging much in the problem, but I suspect that there are some fields that differ between these two.

Has anyone else looked into this?

Thanks.

PrinceOfEval · ‎04-24-2014

Howdy.

I've looked into this a little bit. The FireEye app on SplunkBase seems to be pretty outdated and not very good. If you look at the props.conf and transforms.conf that are included you'll see that the field extractions don't seem to address the email MPS alerts at all. For example, there's no extraction for the source email address.

If you have the logs in XML format, you can use "kv_mode = xml" in props.conf to automatically extract all the XML fields. The automatic extraction tends to yield very complicated field names. This is kind of messy, but you can make it a little better by creating field aliases to give simpler names to the fields you really care about.

hcpr · ‎04-25-2014

Thanks for the tip on kv_mode. I was starting to look in that direction myself.
It's going to be a bit time consuming I think, but I'll see what I can do.

I can always hope that the "official" app is updated 🙂

FireEye app and eMPS

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?