04-20-2017 11:59 AM - edited 03-12-2019 06:21 AM
Hi!
I'm trying to PoC Splunk Enterprise Security as SIEM and integrate Firepower logs from Firepower Management server.
This proves not a trivial task.
I have the eStreamer installed on our heavy forwarder and Splunk add-on for Cisco FireSIGHT on the search head
eStreamer setup is easily set up on our heavy forwarder. The problem lies with mapping fields and values over to the CIM model to use in Enterprise security.
the Splunk eStreamer app is obsolete in its config, supporting up to 5.4. we are on 6.0.1 now and moving to 6.2 soon.
there are more fields in the logs from 6.0+ which is not supported in current eStreamer app. File_actions for example.
I would appreciate a nudge in the right direction as how to work out the kinks.
Is there someone here using Enterprise security and has resolved these issues?
Right now I have alot of unknown malware events, since all file eventes come up as unknown. The same in connection events where unknown is the order of the day.
This basically makes Splunk Enterprise Security unusable as a SIEM if you are running firepower.
I think it could be an easy fix, but I do not have the hours availible in the PoC to investigate and develop a new eStreamer configuration.
08-11-2017 10:07 AM
I even have a Splunk ES Pro Svcs consultant engaged and he's throwing fits about the "unknown" values in eStreamer events.
11-16-2017 06:33 AM
got most of the kinks worked our, but still some unknown events here and there.
I'm going to implement the new Ncore eStreamer TA that is compatible with 6.0+ FMC and see if we cant get this thing working 100%
01-30-2018 11:06 AM
Hi,
Splunk has recently released an update to the app and add-on which may solve your issues:
Cisco eStreamer eNcore Add-on for Splunk:
https://splunkbase.splunk.com/app/3662/
Cisco Firepower eNcore App for Splunk:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide