Issues with Sourcefire API eStreamer Connector and Event Severity Info
Typically the ArcSight Sourcefire API Connector will map a numeric value given by the the eStreamer to the Connector to the Sourcefire threat "color". This populates the deviceAction field. Lots of people build content around this field (instead of a Priority or deviceSeverity field) because they've "migrated" from solely using an IDS/IPS (Sourcefire) to a SIEM (ArcSight.)
Over the past several years, both where I currently work and at a prior customer, we sometimes would see a "number" in this field instead of the expected "color" that is used within Sourcefire. Typically the numbers "67" and "64" show up.
After a bit of hunting I found the color to number mapping is handled by a mapping .csv used by the Connector. I simply was able to override the existing mapping and add the new values.
For those looking, take a gander at $arcsight_home/current/user/agent/fcp/sourcefire/impact_flag_desc.csv -- the format is just like a regular mapping file and follows the "getter,setter" model discussed for mapping files. I just added the following...
64,Red -- Vulnerable
67,Red -- Vulnerable
Hopefully these extra values (and others that come out of Sourcefire) may be picked up by Engineering and incorporated into the next build of the Connector I dug through the Sourcefire API guide and didn't get anywhere in trying to find more values; I had to work with my analysts to come up with this mapping by finding the same event within Sourcefire, looking at rawEvents with Preserve Raw Event, etc.