Splunk Enterprise Security

Enterprise Security: Is Blue Coat a CIM Network Traffic compliant?

danielbb
Motivator

Based on Sourcetypes for the Splunk Add-on for Symantec Blue Coat ProxySG

bluecoat:proxysg:access:file is CIM compliant with the Network Traffic and the Web ones.

However, with the automatic tagging of the TA, our bluecoat index is tagged only as Web. Why is that?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

What sourcetypes are available in your Bluecoat Index ? If you try to search index=YOUR_BLUECOAT_INDEX sourcetype=bluecoat:proxysg:access:file will it returning any events? If yes then those events are tagged with network and communicate tag?

0 Karma

danielbb
Motivator

@harsmarvania57. index=YOUR_BLUECOAT_INDEX sourcetype=bluecoat:proxysg:access:file returns events and the tags are - web, proxy, error, unix and os.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

While looking at Bluecoat add-on, it looks like it is not mapping network and communicate tag to any of the bluecoat data which means you can't map data in Network Traffic datamodel using this add-on.

eventtypes.conf

[bluecoat_proxy_access_file]
search = sourcetype=bluecoat:proxysg:access:file NOT bluecoat_header="#"
#tags = web proxy

tags.conf

[eventtype=bluecoat_proxy_access_file]
web = enabled
proxy = enabled

Please submit docs feedback on page https://docs.splunk.com/Documentation/AddOns/released/BlueCoatProxySG/Sourcetypes. On bottom of the page you can see "Was this topic useful?" , please submit feedback there so it will directly go to docs team.

danielbb
Motivator

@harsmarvania57 - many thanks!!! please convert to an answer.

0 Karma

danielbb
Motivator

Just checked mine.

eventtypes.conf -

[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
#tags = web proxy

[bluecoat_traffic_monitor]
search = sourcetype = bluecoat:proxysg:access* (s_session_id="*" AND NOT s_session_id = "-") NOT bluecoat_header="#"
# tags = network communicate

tags.conf -

[eventtype=bluecoat_proxy]
web = enabled
proxy = enabled

[eventtype=bluecoat_traffic_monitor]
network = enabled
communicate = enabled

It looks like a version issue...

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Yes I can see config which you have provided in version 3.5.0 but in 3.6.0 I can't see any mapping with Network_Traffic datamodel.

danielbb
Motivator

Got it, we are on 3.5.0.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...