All Apps and Add-ons

Fireeye App eventtype and tag configuration. Why apply all tags to all events all in one go?


We are reviewing the Fireeye app v3 for Splunk CIM compliance; the eventtype configuration that exists in the Splunk FireEye app currently applies all tags all to events, meaning for example the email tag is applied to HX events, resulting in them populating in the Email data model in splunk, which does not seem correct.
We are trying to understand if there is a reason for this, or if there is a reason multiple eventtypes can't be defined to apply the tags a bit more selectively, so that the event types from the various FireEye appliance end up on only the relevant data models.
i.e. Events from HX only end up in the 'Malware' & 'Intrusion Detection' data model and not the 'Email' data model.
The defined eventtype search string in the fireeye app:

search = sourcetype=fe_* OR sourcetype=hx_*

That search results in every fireeye event we have getting tagged with these:

alert, attack, dhcp, email, ids, malware, operations, proxy & web

Could someone familiar with this app and CIM compliance explain the logic of this setup?

Esteemed Legend

This is just plain laziness on the part of the app developers. It is totally, obviously wrong and inexcusable. I am working on my own version of the app to fix it. BARF.

Path Finder

@woodcock did you ever complete a more granular tagging of FireEye events?  would you be willing to share?

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...