Splunk Enterprise Security

Fire Eye TA v3 lost sourcetype after update

Path Finder

Hello,

I recently updated the Fire Eye TA to version 3 and now I am not receiving any data. I have 6 indexers, 4 search heads, with many UF's. I have the TA installed on the indexers only, and the app on the search heads, the app is working with previous data. My index is security and sourcetype is hxcefsyslog, and I have the below files in default. Can anyone see what I'm doing wrong?

[eventtypes.conf file]
[fe]
search = sourcetype=fe(splat) OR sourcetype=hx(splat)

[my props.conf file]

Stanzas in this file

- syslog - Should probably not be used unless desparate

- fejsonsyslog

- fexmlsyslog - JSON is preferred

- hxcefsyslog

- fecefsyslog

- fecsvsyslog

- fe_xml - JSON is preferred

- fe_json

- fetapjson

Can convert syslog to other sourcetypes, but sourcetype should be specified elsewhere

[syslog]

The next two line use transforms.conf to send the syslog events and rename them to something other than syslog. fexmlsyslog and fexmljson should be sent directly as those sourcetypes.

TRANSFORMS-updateFireEyeSourcetypes = fixFireEyeCEFst, fixFireEyeCSVst, fixFireEyeXMLst, fixFireEyeJSONst

TRANSFORMS-updateFireEyeHXSourcetypes = fixHXCEFst, fixHX2CEFst

Uncomment the next line to send FireEye data to a separate index called "security"

TRANSFORMS-updateFireEyeIndex = fixFireEyeCEFin, fixFireEyeCSVin, fixFireEyeXMLin, fixFireEyeJSONst, fixHXCEFin, fixHX2CEFin

FireEye JSON over SYSLOG ###### - RECOMMENDED INSTEAD OF XML

[fejsonsyslog]
SHOULDLINEMERGE = false
KV
MODE=json
TRUNCATE = 0
SEDCMD-carriagereturn = s/[\n\r]/ /g
SEDCMD-remove
nulls = s/\x00//g
LINE_BREAKER = (?:<\d+>fenotify-\d+.?:)

Strip the SYSLOG header off to make it JSON

TRANSFORMS-stripSyslog = FEYE-syslog-header-strip
FIELDALIAS-categoryforfireeye = alert.name as category
FIELDALIAS-idforfireeye = alert.id as id
FIELDALIAS-signatureforfireeye = alert.explanation.malware-detected.malware.name as signature
FIELDALIAS-signameforfireeye = alert.explanation.ips-detected.sig-name as signame
FIELDALIAS-severityforfireeye = alert.severity as severity
FIELDALIAS-occurredforfireeye = alert.occurred as occurred
FIELDALIAS-transportforfireeye = alert.explanation.protocol as transport
FIELDALIAS-srcipforfireeyeapp = alert.src.ip as srcip
FIELDALIAS-src
forfireeye = alert.src.ip as src
FIELDALIAS-src
portforfireeye = alert.src.port as srcport
FIELDALIAS-src
macforfireeye = alert.src.mac as srcmac
FIELDALIAS-dest
ipforfireeyeapp = alert.dst.ip as destip
FIELDALIAS-destforfireeye = alert.dst.ip as dest
FIELDALIAS-destportforfireeye = alert.dst.port as destport
FIELDALIAS-destmacforfireeye = alert.dst.mac as destmac
FIELDALIAS-filehashforfireeye = alert.explanation.malware-detected.malware.md5sum as filehash
FIELDALIAS-dvcipcmforfireeye = alert.sensor-ip as dvcip
FIELDALIAS-dvc
hostcmforfireeye = alert.sensor as dvchost
FIELDALIAS-dvcipforfireeye = host as dvcip
FIELDALIAS-dvchostforfireeye = appliance as dvchost

EVAL-dvc_host = coalesce(appliance, alert.sensor)

FIELDALIAS-appforfireeye = alert.explanation.malware-detected.malware.application as app
FIELDALIAS-actionforfireeye = alert.action as action
FIELDALIAS-infURLforfireeye = alert.explanation.cnc-services.cnc-service.address as infURL
FIELDALIAS-objURLforfireeye = alert.explanation.malware-detected.malware{}.objurl as objURL

This next product extraction line overrides the CM entry if it exists

FIELDALIAS-productforfireeye = alert.product as product
FIELDALIAS-productversionforfireeye = version as productversion
FIELDALIAS-extrefforfireeye = alert.alert-url as extref

product = product

EX Fields

FIELDALIAS-duserforfireeye = alert.dst.smtp-to AS duser
FIELDALIAS-suserforfireeye = alert.src.smtp-mail-from AS suser
FIELDALIAS-duserarrayforfireeye = alert{}.dst.smtp-to AS duser
FIELDALIAS-suser
arrayforfireeye = alert{}.src.smtp-mail-from AS suser
FIELDALIAS-malwareurlforfireeye = alert.src.url as malwareurl
FIELDALIAS-idarrayforfireeye = alert{}.id as id
FIELDALIAS-signature
arrayforfireeye = alert{}.explanation.malware-detected.malware.name as signature
FIELDALIAS-severityarrayforfireeye = alert{}.severity as severity
FIELDALIAS-occurred
arrayforfireeye = alert{}.occurred as occurred
FIELDALIAS-filehasharrayforfireeye = alert{}.explanation.malware-detected.malware.md5sum as filehash
FIELDALIAS-email
filenameforfireeye = alert{}.explanation.malware-detected.malware.original as filename
FIELDALIAS-recipientforfireeye = duser as recipient
FIELDALIAS-srcusrforfireeye = suser as srcuser
FIELDALIAS-emailsubjectforfireeye = alert.smtp-message.subject as subject
FIELDALIAS-email
idforfireeye = id as message_id

Client request

EXTRACT-headerdestforfireeye = "http-header": "\S+ [^:]+://(?[^/]+)/
EXTRACT-channel
destforfireeye = "channel": "\S+ [^:]+://(?[^/]+)/
EXTRACT-objurldestforfireeye = "objurl": "((\S+)? [^:]+://)?(?[^/]+)
FIELDALIAS-dnd
address = alert.explanation.cnc-services.cnc-service.address AS cncaddress
FIELDALIAS-cnc
msg = alert.explanation.cnc-services.cnc-service.channel AS cncmsg
FIELDALIAS-fe
url = alert.explanation.malware-detected.malware{}.objurl AS url

FireEye XML over SYSLOG ###### - WE RECOMMEND JSON DUE TO LOWER BROWSER MEMORY USAGE

[fexmlsyslog]
SHOULDLINEMERGE = false
KV
MODE=xml
TRUNCATE=0
SEDCMD-carriagereturn = s/[\n\r]/ /g
LINE
BREAKER = (?:<\d+>fenotify-\d+.?:)(\s</code>

0 Karma
1 Solution

Path Finder

Was about to figure out that HX console is now sending logs with different values and REGEX in add on was not matching. Logs are sent as July 11 13:20:00 fhx.it.wsu.edu cef[25504]: CEF:0|fireeye|HX|4.8.0. In /local/transforms.conf you need to change the regex statement.

from .:\sCEF:\d|fireeye|hx|
to .
:\sCEF:\d|fireeye|[h|H][x|X]|

View solution in original post

Path Finder

Was about to figure out that HX console is now sending logs with different values and REGEX in add on was not matching. Logs are sent as July 11 13:20:00 fhx.it.wsu.edu cef[25504]: CEF:0|fireeye|HX|4.8.0. In /local/transforms.conf you need to change the regex statement.

from .:\sCEF:\d|fireeye|hx|
to .
:\sCEF:\d|fireeye|[h|H][x|X]|

View solution in original post