- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How do you get FireEye Data in via RestfulAPI?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating this post to make a dummy proof post on how to get FireEye JSON data in via http POST . This is also in the FireEye docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Create a user on a HEAVY FORWARDER. The universal forwarder cannot send HTTP POST.
This user is the one that will authenticate through Splunk and it's credentials will be used by the FireEye appliance to send the data.
So....here is an example below...
user=fireEyE_API
password= RiP$RickY (Try to have a complex password that must be under 17 characters--some people have had issues with 16 they say so 8-14 I think is safe)
2) Follow the steps on the FireEye docs about configuring the FireEye Appliance--
Fire_Eye Docs
*Basically you need to have a similar configuration(below) in your FireEye appliance**
https://:8089/services/receivers/simple?host=&source=fe_ alert&sourcetype=fe_
json&index=fireEye_index
Troubleshooting
index=_internal <<>
If you get a 400 code=bad request
If you get a 401 code=bad password probably
If you get 200 code = Take the rest of the day off....
Any other codes = Google
If 200 code and you still don't see your data...try index=* sourcetype=what_you_used source=what_you_used
In the example above, we use fe_alert as the source as and fe_json as the sourcetype
Hope this helps. I will ad more troubleshooting tips and onboarding issues I canvas through answers as I find them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Create a user on a HEAVY FORWARDER. The universal forwarder cannot send HTTP POST.
This user is the one that will authenticate through Splunk and it's credentials will be used by the FireEye appliance to send the data.
So....here is an example below...
user=fireEyE_API
password= RiP$RickY (Try to have a complex password that must be under 17 characters--some people have had issues with 16 they say so 8-14 I think is safe)
2) Follow the steps on the FireEye docs about configuring the FireEye Appliance--
Fire_Eye Docs
*Basically you need to have a similar configuration(below) in your FireEye appliance**
https://:8089/services/receivers/simple?host=&source=fe_ alert&sourcetype=fe_
json&index=fireEye_index
Troubleshooting
index=_internal <<>
If you get a 400 code=bad request
If you get a 401 code=bad password probably
If you get 200 code = Take the rest of the day off....
Any other codes = Google
If 200 code and you still don't see your data...try index=* sourcetype=what_you_used source=what_you_used
In the example above, we use fe_alert as the source as and fe_json as the sourcetype
Hope this helps. I will ad more troubleshooting tips and onboarding issues I canvas through answers as I find them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm the potential password issues - HX appears to only include characters 1-14 of the password into the basic auth headers in the HTTP request, regardless of how long the password actually is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, Thank you Sahr
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
