splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
FireEye HX - Incorrect event timestamps using fieldevent_at
Hi, looks like there is a bug for https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-fireeye-json.conf
In the condition elseif when no value in processEvent/timestamp
Sample data below:
<164>fenotify-7441437.warning:{"msg": "normal","appliance-id": "3CECEF7DC5E8","product": "HX","version": "5.2.0.958244","appliance": "AC2004-D-PR-FIREEYEHX03-ISD-MTE.srv.westpac.com.au","alert": { "matched_at": "2022-10-03T15:34:20.656+00:00", "_id": 655275, "sysinfo": { "_id": "5x62yl7Y30ceEuSSn4wTUk", "mac_address": "00-50-56-92-b9-48" }, "indicator_category": null, "host": { "hostname": "wbg_fe_hx_t002", "ip": "x", "os": "Windows 10 Enterprise", "gmt_offset_seconds": 39600, "agent_id": "5x62yl7Y30ceEuSSn4wTUk", "containment_state": "normal", "agent_version": "34.28.0", "domain": "CORPAU" }, "event_type": null, "condition": null, "indicator": null, "name": "generic-alert", "event_at": "2022-10-03T15:34:20.656+00:00", "event_id": null, "reported_at": "2022-10-03T15:35:26.67+00:00", "source": "TP", "resolution": "ALERT", "matched_source_alerts": null, "event_values": [ { "id": "alert--9eaf5797-6b66-45ff-8b32-8d061f6f771d", "type": "alert", "alert_type": "TP", "name": "Suspicious Windows Trust Configuration", "action_nature": "detection", "object_source": "", "description": "WinTrust SIP registry verification did not match.", "alert_context": [ "event--14953655-f5ca-44d1-9a6a-40e9e2e69658", "finding--37b0e073-3061-49c1-8e0a-6a69df847a05" ], "start_time": "2022-10-03T15:34:20.656Z", "parameters": { "match_event": "{\"event_type\":\"trust_integrity\",\"source_md5\":\"\"}" }, "attributes": { "source_path": "", "anomaly_type": "SIP_REGISTRY_MISMATCH" }, "object_status": "active", "created": "2022-10-03T15:35:26.665Z", "modified": "2022-10-03T15:35:26.665Z" }, { "id": "eventlog--2863a1a3-dde5-4d2c-aaf2-ffcd26b8a9fc", "type": "eventlog", "extensions": { "cef-log-ext": {"meta_information": { "categoryTupleDescription": "Tamper Protection detected a suspicious trust configuration", "categoryTechnique": "Suspicious Windows Trust Configuration", "categoryDeviceType": "Tamper Protection", "categoryBehavior": "Detection", "categoryOutcome": "Reported", "categorySignificance": "Compromise"} } } }, { "event_type": "wintrust-detection", "id": "event--14953655-f5ca-44d1-9a6a-40e9e2e69658", "type": "event", "event_attribute": { "anomaly_type": "SIP_REGISTRY_MISMATCH" }, "name": "WinTrust SIP registry verification did not match.", "objects": [ "file--33ee6626-277a-407c-b80a-a376ad3cccc2", "action--c5aee854-299b-40f2-9ec1-6f6a0ef641a6" ], "start_time": "2022-10-03T15:34:20.656Z", "object_source": "" }, { "id": "action--c5aee854-299b-40f2-9ec1-6f6a0ef641a6", "type": "action", "action_nature": "observed", "name": "wintrust-sip-registry-mismatch", "objects": [ "file--33ee6626-277a-407c-b80a-a376ad3cccc2" ], "start_time": "2022-10-03T15:34:20.656Z", "object_status": "active", "object_source": "" }, { "size_in_bytes": 0, "id": "file--33ee6626-277a-407c-b80a-a376ad3cccc2", "type": "file", "owner_group": "", "name": "", "file_extension": "", "file_path": "", "hashes": [ {"hash_algorithm": "md5","value": "" }, {"hash_algorithm": "sha256","value": "" } ], "owner_user": "", "object_source": "" }, { "risk_nature": "malicious", "id": "finding--37b0e073-3061-49c1-8e0a-6a69df847a05", "metadata": { "anomaly_type": "SIP_REGISTRY_MISMATCH", "registry_key": "x", "dll": "", "function": "" }, "type": "finding", "object_status": "active", "created": "2022-10-03T15:35:26.665Z", "modified": "2022-10-03T15:35:26.665Z" } ], "uuid": "4e7617dd-0dd7-4172-b825-b747987e3697"} }
