Splunk Enterprise Security
Highlighted

Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

New Member

Hello,
I setup correctly Cisco eStreamer 3.0.0 but I see that is not CIM and Enterprise Security won't see the data correctly.
Does anyone know if there will be a new version of CIM? Or the best way is to use the old 2.2.2 which is CIM?

Many Thanks

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

Influencer

Why do you say it is not CIM?

I took a look at the tags and eventtypes and they will surely be matched agains CIM. Am I missing something here?

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

New Member

I saw that there's no CIM in the app description, so I thought it was not compliant.
After investigating a bit I could see a few tag and eventypes, but i don't see anything matched.
In the logs I receive there's a lot of fields that are not matched (here the list of the possible fields I have).
source
sourcetype
app
appproto
dest
dest
ip
fwrule
http
response
rule
src
srcip
url
user
time
index
linecount
splunk
server

I'm pretty sure that I should have a ton of other fields. Can you confirm that I should see more things?
Many thanks

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

Influencer

The fields you should see strictly depend on what DataModel are your events being mapped against.
The list of fields you are showing me are pretty much the expected ones for NetworkTraffic DataModel I think, so don't assume it is not CIM compliant.

More, you don't need to have all the fields of a data model in your data. Rarely you'll have them all in fact.

Check here which fields each Data model of enterprise security has.

http://docs.splunk.com/Documentation/CIM/4.9.1/User/Authentication

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

New Member

It seems that there are no tags so the data cannot be used in any datamodel. Is this a normal behavior?
In estreamer TA there are no Tags, in estreamer dashboard there are eventtypes but again no tags.
I put a picture here:
https://imgur.com/MwrXzqf

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

Path Finder

In the new eStreamer eNcore I found a couple issues that might cause this:

  1. the eventtypes are defined in the eStreamer-Dashboard app, not in the TA-eStreamer one, so make sure you install both.
  2. there are typos in the eStreamer-Dashboard default tags.conf.. all of the eventtypes there use dashes in place of the underscore present in the eventtypes.conf. -- updating the tags.conf and replacing all "-" with "_" resolves that.

Example, I changed:
[eventtype=estreamer-ids-ips-event]

to

[eventtype=estreameridsips_event]

View solution in original post

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

New Member

I confirm this is how I solved.
Many thanks!

0 Karma
Highlighted

Re: Why is the CIM and the Enterprise Security not seeing the data correctly in Cisco Firepower eNcore App for Splunk?

New Member

I solved fixing the tags inside the estreamer dashboard.

0 Karma