Re: Fireeye App eventtype and tag configuration. W...

AyeDefo · ‎07-18-2017

We are reviewing the Fireeye app v3 for Splunk CIM compliance; the eventtype configuration that exists in the Splunk FireEye app currently applies all tags all to events, meaning for example the email tag is applied to HX events, resulting in them populating in the Email data model in splunk, which does not seem correct.
We are trying to understand if there is a reason for this, or if there is a reason multiple eventtypes can't be defined to apply the tags a bit more selectively, so that the event types from the various FireEye appliance end up on only the relevant data models.
i.e. Events from HX only end up in the 'Malware' & 'Intrusion Detection' data model and not the 'Email' data model.
The defined eventtype search string in the fireeye app:

search = sourcetype=fe_* OR sourcetype=hx_*

That search results in every fireeye event we have getting tagged with these:

alert, attack, dhcp, email, ids, malware, operations, proxy & web

Could someone familiar with this app and CIM compliance explain the logic of this setup?
@TonyLeeVT

woodcock · ‎11-28-2018

This is just plain laziness on the part of the app developers. It is totally, obviously wrong and inexcusable. I am working on my own version of the app to fix it. BARF.

esalesap · ‎10-26-2023

@woodcock did you ever complete a more granular tagging of FireEye events? would you be willing to share?

Fireeye App eventtype and tag configuration. Why apply all tags to all events all in one go?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...