icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading FireEye App for Splunk Enterprise v3
SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_370.tgz) d05359add130f307bd69831b36a37dc8915aacd6b0229bb987ed27f87408bfdc SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_350.tgz) 6bb7b27074cbec952a0dd7c70638f5c24d08163335e126488d0e12f11ab6bd1b SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_322.tgz) 692ed4624b561f4f9125c4c52127d9d0718a4fb27f3d1f114469e0833fcb8c35 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_321.tgz) ae56b8899e7e4143a85e9811fc5f415da65b98e72a66f2e7f64ee480ae0090be SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_311.tgz) 34a4d0106c0b678baf46afce4e8fa56891a1074b78d1a4b93a6b7298d0c0b08f SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_309.tgz) 292f6bc813c54075d8ab0789c72d1bc27184fef527ba5f91510f047143bae2b7 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_308.tgz) 18b94633a02e39f7b11c148b436b8ad772799a03de4655f3fa54d00b90c81ae1 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_307.tgz) 2bbbd33e3c510266dbe8cd265622b36a06e4c533dd423cd533247003b816dcab SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_306.tgz) 56158b29bfe9965b16c2636d633402b065168ea18a762fd9e62c7782bc5376ff SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_305.tgz) 1bd40eee6e480905c4bc4dde99a51cd9af77e0bea6005a692545cc013eec4e01 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_304.tgz) e0e74a6bf4c0a0fae2e47c16e33e8c8318aced5748292caaa8d9f94f95276c3f SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_303.tgz) bc930f20dd81a4d2be5276e621e2ce2fbaa91541199d4da04c023d8490513aa0 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_301.tgz) 44be2945ae194ad93933469b73f6bdc40f92d7de61a7185163ddc95f4d2ffad1 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_300.tgz) 4736fbac82c14edd82f3b4eae2dbbafd4bd4f6b4585460fd5b13dad6fbb6376b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

FireEye App for Splunk Enterprise v3

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
This is the latest Splunk App for FireEye designed to work with Splunk 8.x.

Supported FireEye Appliances are:
- Detection On Demand (DOD)
- Network Threat Prevention Platform ( NX Series )
- Email Threat Prevention Platform (EX Series)
- Cloud Email Threat Prevention Platform (ETP)
- Forensic Analysis Platform (AX Series)
- Content Threat Prevention Platform (FX Series)
- Endpoint Threat Prevention Platform (HX Series)
- Network Forensics Platform (PX Series)
- Threat Analytics Platform (TAP)
- (Supports pulling alerts and incidents - cannot update records yet)

Supported protocols and formats is:

Welcome to the FireEye App for Splunk Enterprise

Detailed configuration guide with screenshots, available here: https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for-splunk-enterprise.pdf

Important Notes

  • Only the app is installed on the search head
  • Check out the configuration guide in the link above
  • Updating the app does not reset the Ack notes. Removing and re-installing does...
  • Email all feedback, bugs, and feature requests directly to integrate@FireEye.com
  • Setting up ETP:
  • The HX appliance logging cannot be set from the GUI as of right now, please use the CLI:
    hostname # logging <remote-IP-address> trap none
    hostname # logging <remote-IP-address> trap override class cef priority info
    hostname # write mem


Supported protocols and corresponding sourcetypes are the following.

Protocol/format Sourcetype
JSON over HTTPS fe_json
Detection on Demand fe_dod
HX Endpoint Appliance hx_cef_syslog
Threat Analytics Platform (TAP) fe_tap_json
Email Threat Prevention (ETP) fe_etp


This app is designed for both a SOC/NOC environment as well as analysts:
- Analytics menu - Dashboards designed based on customer feedback to display analytics and trending that matter most to them
- Visualization menu - Dashboards designed to be projected or displayed on a large heads-up display monitor
- Analysis menu - Dashboards designed to be used by the analysts themselves - provides more event detail and drilldown capability
- Help menu - Contains appliance health check, setup menu, and documentation
- Splunk menu - Traditional Splunk options


Most users will be able to download and install the application from the Splunk Apps Marketplace. However, more complex installations may require an additional download.
As with any Splunk app, there are 2 parts:

  1. Data collection
  2. Data visualization/analytics

Release Notes

Version 3.7.0
Nov. 20, 2020

Version 3.5.0
Oct. 31, 2020

Version 3.2.2
May 8, 2020

Version 3.2.1
May 6, 2020

Version 3.1.1
Jan. 13, 2017

- CM can send data to Splunk app using SYSLOG - JSON and XML Normal (confirmed operational for NX, EX, AX) - JSON Recommended over XML due to lower browser memory usage
- Parsing and displaying EX subject using fe_xml_syslog and fe_json_syslog (JSON and XML Normal verbosity not concise) - JSON is better than XML
- Moved syslog stripping for JSON to the fe_json_syslog stanzas and out of the syslog stanza
- NX visualization - Added Dest GeoIP map
- EX Analytics - Added panels for top 20 MD5 hashes and top 20 malware URLs
- Removed the syslog stanza (in props.conf) to improve overall parsing - If you need it, just re-enable it
- Removed _raw from the drop down in the dashboards - For XML and JSON, it was too much information
- Stripped the syslog header for fe_xml_syslog and changed kv_mode to XML. Commented our due to performance.
- FireEye Security Orchestrator integration and tasking Pivoting -> FSO Tasking
- fe_cef_syslog - rt now sets _time
- Hid the comprehensive dashboards

Version 3.0.9
Aug. 21, 2016

Feature Requests:
- App now supports ETP (Email Threat Prevention [Cloud])
- Instructions coming soon - Otherwise, email us via the Help -> Send Feedback link in the app
- App now supports IA Pivoting
- Created Pivoting tab
- Added IA Web Pivoting
- Added IA Email Pivoting
- Moved PX Pivoting to newly created Pivoting menu
- Added Analytics dashboards for all appliances

Bug fixes
- Fixed Wild card and ID filters in NX dashboard
- Fixed Links to product documentation

Version 3.0.8
July 20, 2016

Feature requests:
- Added ability to acknowledge events and add notes (NX, EX, AX, FX, HX) (Toolbox -> Acknowledge events)
Note: Ack flags and notes in the KV Store stays intact upon app upgrades. They are lost when the app is deleted and reinstalled.
- Added ability to filter based on acknowledged events
- HX has enhanced filtering to enable easier event ack and easier downloading of redline .mans files
- Changed appliance names on analytics dashboard
- Updated VTLookup - includes working event link and autosubmit of URL if not present
- Removed Source and Sourcetype columns from all dashboards

Version 3.0.7
Aug. 23, 2015

Feature requests:
- Creation of Toolbox section that contains VT Lookup page - ** Remember to delete local/data/ui/nav/default.xml and restart splunk so you can see new menu! **
- Added fields for Email CIM compliance - http://docs.splunk.com/Documentation/CIM/latest/User/Email
- Added Base64 conversion tool to Toolbox
- Added URL decoding tool to Toolbox
- Created default TAP analytics page
- Updated the Getting Started page

Bug fixes:
- json over HTTPS _time field was incorrect due to Splunk parsing the appliance-id field - Uncommented TIME_PREFIX and TIME_FORMAT fields. Thanks to Scott and Craig for noticing this issue.
- Removed bad field alias src as src for fe_cef_syslog and fe_csv_syslog
- fix_FireEye_JSON_in was missing from the TRANSFORMS-updateFireEyeIndex
- Fixed the daily analytics report. Apparently Splunk v6.2 does not like: row grouping="7"

Version 3.0.6
April 16, 2015

Feature requests:
- PX integration - Can pivot based on time, SRC and DEST IP, SRC and DEST PORT
- Now supports HX 2.5 notification format - REGEX=.*:\sCEF\:\d\|fireeye\|hx\|
- Changed VT Lookup to use external script instead of Splunk lookup - it is faster and OS independent
- VT Lookup can now accept URLs and IPs
- Created TAP comprehensive dashboard
- Updated comprehensive dashboards
- Exposed Event ID box - useful for manual entry

Bug fixes:
- Changed analytics pages to more clearly request community feedback

Version 3.0.5
March 13, 2015

Feature requests:
- Added VirusTotal Lookups for MD5 Hashes! - Thanks to Keith Tyler, Jose Hernandez, and Ian Ahl
- Made VirusTotal view accept user input -- can accept any hash even if event did not occur
- Added Metrics under Help -> Metrics - Thanks goes to Josh Tornetta
- Added JSON over Syslog
- Added Appliance Health check visualization chart (Help -> FireEye Appliance Health)
- FireEye analyics and all visualization dashboards auto refresh every hour (refresh="3600")
- Optional indexing made easier (Uncomment #TRANSFORMS-updateFireEyeIndex in props.conf)
- Added parsing of IPS signature name - eval signature=coalesce (signature, sig_name)
- Added percentage to key vizualization charts
- Standardized chart colors for severity (Color mapping is now consistent) - <option name="charting.fieldColors">{crit:0xFF1300,majr:0xFFDA00,minr:0x3C04F2}</option>

Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events
- Set linemerge=true for [syslog] props

Version 3.0.4
Jan. 22, 2015

- Integrated TAP - Created dashboards and process to consume data
- Released FireEye_v3 TA
- Fixed transforms.conf to be universal notification parser ("Default send as" does not matter anymore). REGEX=.*fenotify.*alert\: -> REGEX=.*fenotify.*\:
- setup.xml tested and certified for Windows Splunk instances (No longer BETA)
- Corrected syslog cef host field for UTC time zone (FIELDALIAS-host_for_fireeye = dvc as host)
- Fixed occurred bug for xml over syslog -> EXTRACT-occurred_for_fireeye = <occurred>(?<occurred>.{1,25})</occurred>
- Documented bug that was affecting non-FE syslog packets [syslog] #TRUNCATE=0, #SHOULD_LINEMERGE = false, #LINE_BREAKER = ((?!))

Version 3.0.3
Oct. 9, 2014

- Forced to change the folder to FireEye_v3 -- app upload constraints tightened by Splunk
- Fixed issue with FireEye 7.2 and 7.4 XML SYSLOG parsing - More granular regex operations
- Added tags.conf to enable pivot tables
- Changed start screen to Analytics dashboard instead of search default='true' in nav/default.xml
- Enabled auto notification for updates to the FireEye app (check_for_updates = 1 in app.conf)
- Made "Enter" key work for search filter searchWhenChanged="true" in dashboards
- Clear filter button - just backspace and enter now
- Added hyperlink to analysis dashboards from total count in anayltics dashboard CDATA hyperlink
- Added CM Visualization dashboard
- Added first stab at NX Analytics dashboard
- Added daily report for Analytics dashboard - Converted to dashboard, created savedsearches.conf, added setup.conf
- disabled auto run of setup until we work out bugs for Windows Splunk instances - is_configured = true

Version 3.0.1
Aug. 20, 2014

Changed app.conf file to make is_configred = true. This should prevent the setup screen from kicking off until we work out the bug.

Version 3.0.0
Aug. 19, 2014

Latest version of the Splunk App for FireEye -- version 3.0.0


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.