Hi!
I'm trying to PoC Splunk Enterprise Security as SIEM and integrate Firepower logs from Firepower Management server.
This proves not a trivial task.
I have the eStreamer installed on our heavy forwarder and Splunk add-on for Cisco FireSIGHT on the search head
eStreamer setup is easily set up on our heavy forwarder. The problem lies with mapping fields and values over to the CIM model to use in Enterprise security.
the Splunk eStreamer app is obsolete in its config, supporting up to 5.4. we are on 6.0.1 now and moving to 6.2 soon.
there are more fields in the logs from 6.0+ which is not supported in current eStreamer app. File_actions for example.
I would appreciate a nudge in the right direction as how to work out the kinks.
Is there someone here using Enterprise security and has resolved these issues?
Right now I have alot of unknown malware events, since all file eventes come up as unknown. The same in connection events where unknown is the order of the day.
This basically makes Splunk Enterprise Security unusable as a SIEM if you are running firepower.
I think it could be an easy fix, but I do not have the hours availible in the PoC to investigate and develop a new eStreamer configuration.
