Endpoint Security Network Events Missing & Not Parsing Data

Man715 · January 1, 2021, 6:49am

I am running into two issues with the Network Events.

The first issue is that HTTPS traffic is not getting identified as HTTPS traffic and is has an empty http.request.body.content and most HTTP traffic is the same.

The other issue is that the http.request.body.content does not get parsed (when it does exist) like Packetbeat does therefore some dashboards do not work. For example, when drilling down into an IP from the network map in the SIEM, you will not see HTTP Requests associated with that IP since several fields do not exist such as http.request.method.

Is there a way to get this data parsed like Packetbeat or is Packetbeat the only way to get this functionality?

Thank you.

ferullo · January 8, 2021, 4:07am

Hi @man715, thanks for checking out Endpoint Security.

Endpoint does have some overlap with various Beats (Packetbeat in this case) for what data type is collected from machines. However, the Endpoint and Beats do not share a code base and so they don't necessarily fill in the same data in every event, which is what you're seeing.

Overtime we'll work to close gaps like this. Its good to hear the type of data you feel is missing from Endpoint data. For the time being please consider Endpoint and Beats as complimentary products, neither is a replacement for the other.

Man715 · January 8, 2021, 4:07am

Thank you for your response. I have started using PacketBeats again.

system · February 5, 2021, 4:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.