I've installed the latest [TA-eStreamer][1] and I'm trying to see if I can get the data into InfoSec App for Splunk for IDS/IDP events. I followed the [setup instructions][2] and I can see data coming in. Unfortunately the events do not appear to be tag and aren't getting put into the CIM Data Model for Network Traffic or Intrusion Detection. Looking at the props.conf there are a number of entries for CIM fields but I'm not getting them recognized.
[1]: https://splunkbase.splunk.com/app/3662/
[2]: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_354.html
↧