In regards to the intrusion events/alerts...Currently, in our eStreamer feed, we are not getting the fields, "HTTP URL" or "HTTP Hostname." Is there a way to get those through eStreamer?
what version of the FMC are using? Are you using the following TA? https://splunkbase.splunk.com/app/3662/