AnsweredAssumed Answered

Creating single alert template for use with TCP and UDP events

Question asked by Adam Block on Feb 15, 2017

I am in the process of trying to create a reporting alert template to forward alerts to syslog/Splunk.  I have hit somewhat of a stumbling block regarding the destination port meta fields.

 

The following is an example of the template which I am creating.

CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${name}|${severity}| externalId=${meta.sessionid} service=${meta.service} proto=${meta.ip.proto} act=${meta.action} src=${meta.ip.src} spt=${meta.tcp.srcport} dhost=${meta.alias.host} dst=${meta.ip.dst} dpt=${meta.ip.dstport} duser=${meta.user.dst} suser=${meta.user.src} cs1=${meta.did} requestClientApplication=${meta.client} cs1Label=DecoderName request=${meta.referer} cs5Label=QueryString cs5=${meta.query} cs6Label=UDPDestinationPort cs6=${meta.udp.dstport} fsize=${meta.size} fileType=${meta.extension} fname=${meta.filename} filePath=${meta.directory}

 

In my infrastructure, the ip.dstport meta is not populated, but rather the udp.dstport and tcp.dstport.  I am intending to map the dpt CEF field to the Splunk field dest_port.  The way I understand this, I need to have either dpt=${meta.tcp.dstport} OR dpt=${udp.dstport} depending on whether the session is TCP or UDP.  That said, is there a way that this can be incorporated into a single template?

Outcomes