Solved: why is the URL field in the Splunk Add-on for Cisc...

stefan1988 · ‎05-27-2016

The Splunk Add-on for Cisco CWS: url field is sometimes empty causing DM vulnerabilities in Enterprise Security filling up with unknown field values.

piebob · ‎05-27-2016

This is because url is build from 4 parts (cs_uri_scheme + "://" + cs_host + cs_uri_path + "?" + cs_uri_query) and when cs_uri_query is empty url will be empty.

Please adjust the TA and in props.conf instead of:
EVAL-url = cs_uri_scheme + "://" + cs_host + cs_uri_path + "?" + cs_uri_query

use:
EVAL-url = case(len(cs_uri_query)>0 AND len(cs_uri_path)>0,cs_uri_scheme + "://" + cs_host + cs_uri_path + "?" + cs_uri_query,
len(cs_uri_path)>0,cs_uri_scheme + "://" + cs_host + cs_uri_path,
1==1,cs_uri_scheme + "://" + cs_host)

View solution in original post

piebob · ‎05-27-2016

This is because url is build from 4 parts (cs_uri_scheme + "://" + cs_host + cs_uri_path + "?" + cs_uri_query) and when cs_uri_query is empty url will be empty.

Please adjust the TA and in props.conf instead of:
EVAL-url = cs_uri_scheme + "://" + cs_host + cs_uri_path + "?" + cs_uri_query

use:
EVAL-url = case(len(cs_uri_query)>0 AND len(cs_uri_path)>0,cs_uri_scheme + "://" + cs_host + cs_uri_path + "?" + cs_uri_query,
len(cs_uri_path)>0,cs_uri_scheme + "://" + cs_host + cs_uri_path,
1==1,cs_uri_scheme + "://" + cs_host)

why is the URL field in the Splunk Add-on for Cisco CWS sometimes empty?

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!