Firepower/ArcSight

Hello

There is Firepower, from which events are received in ArcSight using eStreamer.

I don't know which connector is used for this.

The problem is as follows: packet data has a custom field with a HEX code that can easily be transformed into a command. This is "highlighted" by ArcSight's built-in thresholds as critical, but somehow doesn't have the ability to see the entire message.

Please advise on this issue, but I am also interested in the moment for myself.

I got a snippet of events but in a file. I used Common event format file connector and flex regex file connector to process it. And assuming that ArcSight uses CEF Cisco to receive events from Firepower
FireSIGHT Syslog SmartConnector, so which of the two options I've tested will be closer to displaying the results?

In general, I'm interested in how to process the event file and see the same result as I would see if I received them directly from Firepower and also tell me how to deal with displaying a field with a large HEX code. And why do events have a high level of criticality for the common event file Firepower?

P. S. Although I tested the events on the flex connector, the packet data field is still too large to view it completely, and if we talk about the common event format connector, then it processes events, but does not provide detailed information.

Thanks in advance

Bohdan