cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1322
Views
1
Helpful
1
Replies

Firepower eStreamer and Cisco Security Cloud for Splunk

raymng
Level 1
Level 1

Hi there,

We recently install the Cisco Security Cloud App for Splunk.

I configure the eStreamer services on our FMC (ver 7.4.2.1).

I am seeing Connection Events in Splunk.

According to this article:

https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740/c_available_fqe.html

there should be fields such as Device and DeviceIP on connection event log.  But I don't see them in the Splunk log.  

In Splunk, I see fields such as DeviceUUID, InitiatorIP, and ResponderIP, etc..

Question:
Do I need to make special configuration changes in FMC on in Splunk to include fields such as DeviceIP?

Or, although the FMC eStreamer has those fields, the Cisco Security Cloud app don't support them?

Thanks in advance.

1 Reply 1

wajidhassan
Level 4
Level 4

1. FMC via eStreamer does include fields like Device and DeviceIP
The FMC’s eStreamer FQE output does expose fields like Device and DeviceIP, along with others like InitiatorIP and ResponderIP.

2. Cisco Security Cloud App may not support those fields (yet)
You're using the new Cisco Security Cloud App for Splunk, which replaced the older Secure Firewall App. According to the Splunkbase description:

“The Cisco Security Cloud … provides eStreamer SDK integration which will provide fully qualified event support for IDS, Malware, Connection and IDS Packet data.”
— Cisco Secure Firewall App page, EOL notice


That said, many customers report that older apps only included DeviceUUID, InitiatorIP, and ResponderIP, even when FMC supplied more .

So unless you’re using the very latest Cisco Security Cloud App version, those extra fields may not yet be mapped by the app’s field extraction components.

3. What you can do
Check your installed app version:

Navigate to Cisco Security Cloud App → About in Splunk.

Compare with the latest version on Splunkbase (e.g. v1.2.4 as of Sept 2024).

Upgrade to the latest version if you haven’t already. Newer versions may add more field mappings for fully qualified events.

Inspect raw JSON:

Search Splunk for a connection event:

spl
Copy
Edit
index=… sourcetype="cisco:secure_firewall" EventType="ConnectionEvent"
Use | spath to see if fields like DeviceIP are buried in the raw JSON.

Add custom extractions if FMC includes those fields but the app doesn’t extract them:

Edit props.conf and transforms.conf in your Splunk app like:

ini
Copy
Edit
[cisco:secure_firewall]
KV_MODE = json
This ensures all JSON keys in connection events are indexed and searchable.

Or manually map:

ini
Copy
Edit
transforms.conf:
[extract_device_ip]
REGEX = \"DeviceIP\":\"(?<DeviceIP>[^\"]+)\"
Then apply via props.conf.

Give feedback to Cisco:

Log a feature request or bug report to have Device and DeviceIP added to the official app extractions.

TL;DR
FMC does include DeviceIP, but the Cisco Security Cloud App might not parse it yet.

No special FMC config is required.

Upgrade your app, check raw logs, and add JSON or regex extractions.

File feedback with Cisco to encourage full field support.