katzmandu1 Absent Member.
Absent Member.

Issues with Sourcefire API eStreamer Connector and Event Severity Info

Howdy everyone!

Typically the ArcSight Sourcefire API Connector will map a numeric value given by the the eStreamer to the Connector to the Sourcefire threat "color". This populates the deviceAction field. Lots of people build content around this field (instead of a Priority or deviceSeverity field) because they've "migrated" from solely using an IDS/IPS (Sourcefire) to a SIEM (ArcSight.)

Over the past several years, both where I currently work and at a prior customer, we sometimes would see a "number" in this field instead of the expected "color" that is used within Sourcefire. Typically the numbers "67" and "64" show up.

After a bit of hunting I found the color to number mapping is handled by a mapping .csv used by the Connector. I simply was able to override the existing mapping and add the new values.

For those looking, take a gander at $arcsight_home/current/user/agent/fcp/sourcefire/impact_flag_desc.csv -- the format is just like a regular mapping file and follows the "getter,setter" model discussed for mapping files. I just added the following...

64,Red -- Vulnerable

67,Red -- Vulnerable

Hopefully these extra values (and others that come out of Sourcefire) may be picked up by Engineering and incorporated into the next build of the Connector I dug through the Sourcefire API guide and didn't get anywhere in trying to find more values; I had to work with my analysts to come up with this mapping by finding the same event within Sourcefire, looking at rawEvents with Preserve Raw Event, etc.

Labels (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.