Sound like a neat solution... Just be careful about your support agreements with Cisco if you go modifying things on the DC at the O/S level... you don't want to void your support contracts on your DC's with customisations etc :-(
FireSIGHT DC's do h...
Yep, I know exactly why.
Sourcefire/FireSIGHT DC simply does NOT sent the 'DetectionEngineName' in any of the intrusion events. Which brainiac thought up that solution??
You will notice in the METADATA:123 events, the DetectionEngineName correlates t...
What does the raw event look like? Can you post it here?
You'll need to enable 'Preserve Raw Events' in your SmartConnector's runtime parameters, and then copy the 'raw event' field from ESM Console.
From FS DC v5.x onwards, I believe the Metadata event format (as seen by ArcSight is):EventMap: [RecordType=>123] , [RecordLength=>20] ,[DetectionEngineName=>192.168.1.1] , [DetectionEngineId=>1]
You'll need to modify your regex expression according...