The NX dashboard queries all look for product=Web MPS. We currently receive product=CMS
Unfortunately we had to remove support for the CMS to send data directly to the Splunk app on behalf of the LMS appliances.
Version 3.0.5 of the release notes states the following:
"Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events"
The reason for this is that some of the notification types such as syslog do not indicate which device type detected the original event. This can be parsed in more complex formats, but for the time being this feature had to be removed until we could devise a way to make this work with all notification formats.
Current deployment guidance is to have each of the LMS appliances send data to the Splunk instance--then the product field will be correct. We will revisit enabling the CMS to send data and autoparse the originating products in the future.
Unfortunately we had to remove support for the CMS to send data directly to the Splunk app on behalf of the LMS appliances.
Version 3.0.5 of the release notes states the following:
"Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events"
The reason for this is that some of the notification types such as syslog do not indicate which device type detected the original event. This can be parsed in more complex formats, but for the time being this feature had to be removed until we could devise a way to make this work with all notification formats.
Current deployment guidance is to have each of the LMS appliances send data to the Splunk instance--then the product field will be correct. We will revisit enabling the CMS to send data and autoparse the originating products in the future.
Tony,
I have another question
We made the changes for each LMS appliance to report.
I see that for all data with 'category=domain-match' that the destination ip field shows as 'dvc_ip' and not 'dest_ip'. I am assuming this should be 'dest_ip'. Is there a reason for this in the app itself?
on some of the geo ip dashboards that are looking for 'dest_ip'.. no data with a 'category=domain-match' will be populated there because of this.
Please advise.
Thanks,
Andrew
The change to each LMS is a good change.
Unfortunately, the domain-match category does not include a dest_ip field in the alert sent to Splunk. In fact, you will see in the FireEye appliance dashboard that there is no destination IP address there either. The attacker URL is in the URL/MD5 category field. If the destination IP address is a desired feature, you will have to submit a feature request ticket to FireEye to have them add the IP to the FireEye device itself and to the alert. Thanks.
Let's get on a webex to troubleshoot and then we can post the answer here. Shoot me an email via the app feedback link.