Splunk Enterprise Security

Fire Eye TA v3 lost sourcetype after update

walsborn
Path Finder

Hello,

I recently updated the Fire Eye TA to version 3 and now I am not receiving any data. I have 6 indexers, 4 search heads, with many UF's. I have the TA installed on the indexers only, and the app on the search heads, the app is working with previous data. My index is security and sourcetype is hx_cef_syslog, and I have the below files in default. Can anyone see what I'm doing wrong?

[eventtypes.conf file]
[fe]
search = sourcetype=fe_(splat) OR sourcetype=hx_(splat)

[my props.conf file]

Stanzas in this file

- syslog - Should probably not be used unless desparate

- fe_json_syslog

- fe_xml_syslog - JSON is preferred

- hx_cef_syslog

- fe_cef_syslog

- fe_csv_syslog

- fe_xml - JSON is preferred

- fe_json

- fe_tap_json

Can convert syslog to other sourcetypes, but sourcetype should be specified elsewhere

[syslog]

The next two line use transforms.conf to send the syslog events and rename them to something other than syslog. fe_xml_syslog and fe_xml_json should be sent directly as those sourcetypes.

TRANSFORMS-updateFireEyeSourcetypes = fix_FireEye_CEF_st, fix_FireEye_CSV_st, fix_FireEye_XML_st, fix_FireEye_JSON_st

TRANSFORMS-updateFireEyeHXSourcetypes = fix_HX_CEF_st, fix_HX2_CEF_st

Uncomment the next line to send FireEye data to a separate index called "security"

TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in

FireEye JSON over SYSLOG ###### - RECOMMENDED INSTEAD OF XML

[fe_json_syslog]
SHOULD_LINEMERGE = false
KV_MODE=json
TRUNCATE = 0
SEDCMD-carriage_return = s/[\n\r]/ /g
SEDCMD-remove_nulls = s/\x00//g
LINE_BREAKER = (?:<\d+>fenotify-\d+.?:)

Strip the SYSLOG header off to make it JSON

TRANSFORMS-stripSyslog = FEYE-syslog-header-strip
FIELDALIAS-category_for_fireeye = alert.name as category
FIELDALIAS-id_for_fireeye = alert.id as id
FIELDALIAS-signature_for_fireeye = alert.explanation.malware-detected.malware.name as signature
FIELDALIAS-sig_name_for_fireeye = alert.explanation.ips-detected.sig-name as sig_name
FIELDALIAS-severity_for_fireeye = alert.severity as severity
FIELDALIAS-occurred_for_fireeye = alert.occurred as occurred
FIELDALIAS-transport_for_fireeye = alert.explanation.protocol as transport
FIELDALIAS-src_ip_for_fireeye_app = alert.src.ip as src_ip
FIELDALIAS-src_for_fireeye = alert.src.ip as src
FIELDALIAS-src_port_for_fireeye = alert.src.port as src_port
FIELDALIAS-src_mac_for_fireeye = alert.src.mac as src_mac
FIELDALIAS-dest_ip_for_fireeye_app = alert.dst.ip as dest_ip
FIELDALIAS-dest_for_fireeye = alert.dst.ip as dest
FIELDALIAS-dest_port_for_fireeye = alert.dst.port as dest_port
FIELDALIAS-dest_mac_for_fireeye = alert.dst.mac as dest_mac
FIELDALIAS-file_hash_for_fireeye = alert.explanation.malware-detected.malware.md5sum as file_hash
FIELDALIAS-dvc_ip_cm_for_fireeye = alert.sensor-ip as dvc_ip
FIELDALIAS-dvc_host_cm_for_fireeye = alert.sensor as dvc_host
FIELDALIAS-dvc_ip_for_fireeye = host as dvc_ip
FIELDALIAS-dvc_host_for_fireeye = appliance as dvc_host

EVAL-dvc_host = coalesce(appliance, alert.sensor)

FIELDALIAS-app_for_fireeye = alert.explanation.malware-detected.malware.application as app
FIELDALIAS-action_for_fireeye = alert.action as action
FIELDALIAS-infURL_for_fireeye = alert.explanation.cnc-services.cnc-service.address as infURL
FIELDALIAS-objURL_for_fireeye = alert.explanation.malware-detected.malware{}.objurl as objURL

This next product extraction line overrides the CM entry if it exists

FIELDALIAS-product_for_fireeye = alert.product as product
FIELDALIAS-product_version_for_fireeye = version as product_version
FIELDALIAS-ext_ref_for_fireeye = alert.alert-url as ext_ref

product = product

EX Fields

FIELDALIAS-duser_for_fireeye = alert.dst.smtp-to AS duser
FIELDALIAS-suser_for_fireeye = alert.src.smtp-mail-from AS suser
FIELDALIAS-duser_array_for_fireeye = alert{}.dst.smtp-to AS duser
FIELDALIAS-suser_array_for_fireeye = alert{}.src.smtp-mail-from AS suser
FIELDALIAS-malware_url_for_fireeye = alert.src.url as malware_url
FIELDALIAS-id_array_for_fireeye = alert{}.id as id
FIELDALIAS-signature_array_for_fireeye = alert{}.explanation.malware-detected.malware.name as signature
FIELDALIAS-severity_array_for_fireeye = alert{}.severity as severity
FIELDALIAS-occurred_array_for_fireeye = alert{}.occurred as occurred
FIELDALIAS-file_hash_array_for_fireeye = alert{}.explanation.malware-detected.malware.md5sum as file_hash
FIELDALIAS-email_file_name_for_fireeye = alert{}.explanation.malware-detected.malware.original as file_name
FIELDALIAS-recipient_for_fireeye = duser as recipient
FIELDALIAS-src_usr_for_fireeye = suser as src_user
FIELDALIAS-email_subject_for_fireeye = alert.smtp-message.subject as subject
FIELDALIAS-email_id_for_fireeye = id as message_id

Client request

EXTRACT-header_dest_for_fireeye = "http-header": "\S+ [^:]+://(?[^/]+)/
EXTRACT-channel_dest_for_fireeye = "channel": "\S+ [^:]+://(?[^/]+)/
EXTRACT-objurl_dest_for_fireeye = "objurl": "((\S+)? [^:]+://)?(?[^/]+)
FIELDALIAS-dnd_address = alert.explanation.cnc-services.cnc-service.address AS cnc_address
FIELDALIAS-cnc_msg = alert.explanation.cnc-services.cnc-service.channel AS cnc_msg
FIELDALIAS-fe_url = alert.explanation.malware-detected.malware{}.objurl AS url

FireEye XML over SYSLOG ###### - WE RECOMMEND JSON DUE TO LOWER BROWSER MEMORY USAGE

[fe_xml_syslog]
SHOULD_LINEMERGE = false
KV_MODE=xml
TRUNCATE=0
SEDCMD-carriage_return = s/[\n\r]/ /g
LINE_BREAKER = (?:<\d+>fenotify-\d+.?:)(\s</code>

0 Karma
1 Solution

walsborn
Path Finder

Was about to figure out that HX console is now sending logs with different values and REGEX in add on was not matching. Logs are sent as July 11 13:20:00 fhx.it.wsu.edu cef[25504]: CEF:0|fireeye|HX|4.8.0. In /local/transforms.conf you need to change the regex statement.

from .:\sCEF:\d|fireeye|hx|
to .
:\sCEF:\d|fireeye|[h|H][x|X]|

View solution in original post

walsborn
Path Finder

Was about to figure out that HX console is now sending logs with different values and REGEX in add on was not matching. Logs are sent as July 11 13:20:00 fhx.it.wsu.edu cef[25504]: CEF:0|fireeye|HX|4.8.0. In /local/transforms.conf you need to change the regex statement.

from .:\sCEF:\d|fireeye|hx|
to .
:\sCEF:\d|fireeye|[h|H][x|X]|

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...