Re: eNcore correlation events SRC and DEST IP addr...

mcatanoi · ‎12-27-2018

Hi,

The Correlation Events received via eStreamer are processed by eNcore app in a wrong format for SRC and DEST IP addresses fields, which are presented as INTEGER values, rather than IPs.

per example:
rec_type=112 rec_type_desc="Correlation Event" src_ip=3117469894 dest_ip=182909563

Can you fix it please?

Thank you

douglashurd · ‎02-06-2019

Any chance you had Meta Data switched off on the FMC estreamer configuration page? We haven't seen this on other customer sites.

mcatanoi · ‎12-28-2018

Hi,

We've fixed this issue by modifying the following lines into the encore\estreamer\definitions\blocks_series1.py

...127
BLOCK_USER_LOGIN_INFORMATION_54: [
...
{ 'type': TYPE_IPV4, 'name': 'ipv4Address' },
{ 'type': TYPE_IPV6, 'name': 'ipv6Address' },
...

It would be great if the author of this app will submit these changes for the next release.

Thank you

p_gurav · ‎12-27-2018

Hi mcatanoi,

Please check the sourcetype is properly mapped for those events
Also check the format of extraction defined for this sourcetype is match with pattern of events you are getting.

eNcore correlation events SRC and DEST IP addresses fields as INTEGER

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases