Getting Data In

How should I configure props/transforms.conf files to index Lancope Stealthwatch syslog in CEF format and OCLC EZProxy logs?

jwalzerpitt
Motivator

I am planning on ingesting syslog from Lancope Stealthwatch and OCLC EZProxy logs. Our environment is set up to send syslog from the sources to our Splunk server, then using rsyslog, we direct the syslog to files to their respective directories.

I’m trying to learn how to configure the props/transforms config files ahead of time so that when I add data and then monitor the directories/files I can select the pre-defined sourcetypes I created.

For the EZproxy logs, I uploaded files into a test index and then extracted fields. Do I now take those regexes and plug them into the transforms.conf file?

Re: the syslog from Lancope Stealthwatch, these logs are in CEF format and a key:value pairs. Testing these logs the automatic sourcetype has some errors for some field extractions. Do I simply plug in the field names/key-value pairs into transforms.conf?

Thx

nadhem
New Member

A Stealthwatch add-on is now posted on Splunk. It maps fields to the Intrusion Detection datamodel.
https://splunkbase.splunk.com/app/3827/

0 Karma

mikaelbje
Motivator

Sorry, but after some consideration my current situation doesn't leave enough time do create an add-on for this. If you decide to go down this route yourself I suggest you model the add-on with fields mapping to one or more of the following CIM data models:
* Alerts (http://docs.splunk.com/Documentation/CIM/4.3.0/User/Alerts)
* Intrusion Detection (http://docs.splunk.com/Documentation/CIM/4.3.0/User/IntrusionDetection)
* Network Traffic (http://docs.splunk.com/Documentation/CIM/4.3.0/User/NetworkTraffic)

If, however, anyone is willing to pay for this work I'm willing to reconsider.

You may also check this official Splunk App which helps you model CEF format logs with Splunk field extractions: https://splunkbase.splunk.com/app/1847/#/overview

0 Karma

jwalzerpitt
Motivator

If you would create an add-on with the extracts and alias them for CIM compliance in Splunk, that would be awesome.

Sample logs as follows (if you need a larger sample, let me know what your email address is and I'll zip up a file and send it):

Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.35M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-I cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 2.46M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-J cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.56M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-K cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 426.23k points. Expected 36.79k points, tolerance of 60 allows up to 300k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-L cs3=Bradford,Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 336.15k points. Expected 22.58k points, tolerance of 60 allows up to 333.99k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-M cs3=Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.2M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-N cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 6.29M points. Expected 2.99M points, tolerance of 50 allows up to 5.38M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-O cs3=Apple,United States cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 735.26k points. Expected 141.05k points, tolerance of 60 allows up to 382.47k points. dst=x.x.x.x src=2620:102:400b:1cfd:d:fc19:f983:be00 start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-P cs3=IPv6 cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=2620:102:400b:1cfd:d:fc19:f983:be00&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:60|High SMB Peers|4| msg=Host may be infected with an SMB worm.: dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-Q cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt=445 proto=6 dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 10M points. Policy maximum allows up to 10M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-R cs3=Johnstown,Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 3.18M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-S cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.04M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-T cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.56M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-U cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.33M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-V cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 18.2M points. Policy maximum allows up to 10M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-W cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:56|Exploitation|4| msg=The Exploitation category tracks attack activity on a network.:Observed 18.17M points. Policy maximum allows up to 10M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-X cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.06M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D5-Z cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 618.29k points. Expected 81.46k points, tolerance of 60 allows up to 404.08k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-0 cs3=Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.49M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-1 cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.06M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-2 cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.47M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-3 cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 407.2k points. Expected 80.76k points, tolerance of 60 allows up to 337.18k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-4 cs3=Unknown cs3Label=SourceHostGroups cs4=Greensburg cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 2.49M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-5 cs3=Unknown cs3Label=SourceHostGroups cs4=F5 VIPS cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 4.75M points. Expected 2.9M points, tolerance of 50 allows up to 3.27M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-6 cs3=Apple,United States cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:60|High SMB Peers|4| msg=Host may be infected with an SMB worm.: dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-7 cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt=445 proto=6 dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:56|Exploitation|4| msg=The Exploitation category tracks attack activity on a network.:Observed 10M points. Policy maximum allows up to 10M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:30Z end= externalId=6C-1B56-YEOU-N9D6-8 cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:30Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 2.87M points. Expected 67.46k points, tolerance of 60 allows up to 412.87k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-D cs3=Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 1.16M points. Expected 117.8k points, tolerance of 60 allows up to 668.95k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-E cs3=Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 10.57M points. Policy maximum allows up to 10M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-F cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:56|Exploitation|4| msg=The Exploitation category tracks attack activity on a network.:Observed 10.54M points. Policy maximum allows up to 10M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-G cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1.5M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-H cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 6.2M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-I cs3=Unknown cs3Label=SourceHostGroups cs4=Catch All cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-J cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 5.86M points. Expected 3.58M points, tolerance of 50 allows up to 4.92M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-K cs3=Apple,United States cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 706.24k points. Expected 18.16k points, tolerance of 60 allows up to 44.78k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-L cs3=Unknown cs3Label=SourceHostGroups cs4=Wireless cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 981.36k points. Expected 117.16k points, tolerance of 60 allows up to 979.61k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-M cs3=Catch All cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:53:31Z end= externalId=6C-1B56-YEQT-ODF5-N cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:53:31Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:15|High Target Index|4| msg=The target IP has been the recipient of more than an acceptable number of scan or other malicious attacks.:Observed 1M points. Policy maximum allows up to 1M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:54:00Z end= externalId=6C-1B56-YGC1-KN0F-W cs3=Unknown cs3Label=SourceHostGroups cs4=RESNET cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:54:00Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:54:00Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 4.01M points. Expected 3.22M points, tolerance of 50 allows up to 4.01M points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:54:00Z end= externalId=6C-1B56-YGC1-KN0F-X cs3=Apple,United States cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:54:00Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:54:00Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
Oct 13 13:54:34   StealthWatch[3375]:  CEF:0|Lancope|StealthWatch|6.1|Notification:32|High Concern Index|3| msg=The host's concern index has either exceeded the CI threshold or rapidly increased.:Observed 300.19k points. Expected 37.76k points, tolerance of 60 allows up to 300k points. dst=x.x.x.x src=x.x.x.x start=2015-10-13T18:54:00Z end= externalId=6C-1B56-YGC1-KN0F-Y cs3=Wireless cs3Label=SourceHostGroups cs4=Unknown cs4Label=TargetHostGroups cs5=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:54:00Z cs5Label=Source_URL cs6=https://x.x.x.x/smc/getHostSnapshot?domainid=123&hostip=x.x.x.x&date=2015-10-13T18:54:00Z cs6Label=Target_URL dpt= proto= dvchost= dvc=x.x.x.x dvcpid=123 deviceExternalId=
0 Karma

nadhem
New Member

A Stealthwatch add-on is now posted on Splunk. It maps fields to the Intrusion Detection datamodel.
https://splunkbase.splunk.com/app/3827/

0 Karma

jbaderts
New Member

I would be very interested in this as well.,I'd love to see a reply.

0 Karma

mikaelbje
Motivator

I just realized you never got a reply on this. Did you figure this out?

If you post sample logs from your Stealthwatch server I might consider creating a technology add-on with the extracts you need and alias them for CIM compliance in Splunk.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.