icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading FireEye App for Splunk Enterprise v3
SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_311.tgz) 34a4d0106c0b678baf46afce4e8fa56891a1074b78d1a4b93a6b7298d0c0b08f SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_309.tgz) 292f6bc813c54075d8ab0789c72d1bc27184fef527ba5f91510f047143bae2b7 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_308.tgz) 18b94633a02e39f7b11c148b436b8ad772799a03de4655f3fa54d00b90c81ae1 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_307.tgz) 2bbbd33e3c510266dbe8cd265622b36a06e4c533dd423cd533247003b816dcab SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_306.tgz) 56158b29bfe9965b16c2636d633402b065168ea18a762fd9e62c7782bc5376ff SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_305.tgz) 1bd40eee6e480905c4bc4dde99a51cd9af77e0bea6005a692545cc013eec4e01 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_304.tgz) e0e74a6bf4c0a0fae2e47c16e33e8c8318aced5748292caaa8d9f94f95276c3f SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_303.tgz) bc930f20dd81a4d2be5276e621e2ce2fbaa91541199d4da04c023d8490513aa0 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_301.tgz) 44be2945ae194ad93933469b73f6bdc40f92d7de61a7185163ddc95f4d2ffad1 SHA256 checksum (fireeye-app-for-splunk-enterprise-v3_300.tgz) 4736fbac82c14edd82f3b4eae2dbbafd4bd4f6b4585460fd5b13dad6fbb6376b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

FireEye App for Splunk Enterprise v3

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
This is the latest Splunk App for FireEye designed to work with Splunk 6.x.

App walk-through video:

New event acknowledgement feature using Splunk's KV Store:

Supported FireEye Appliances are:
- Network Threat Prevention Platform ( NX Series )
- Email Threat Prevention Platform (EX Series)
- Cloud Email Threat Prevention Platform (ETP)
- Forensic Analysis Platform (AX Series)
- Content Threat Prevention Platform (FX Series)
- Endpoint Threat Prevention Platform (HX Series)
- Network Forensics Platform (PX Series)
- Threat Analytics Platform (TAP)
- (Supports pulling alerts and incidents - cannot update records yet)

Supported protocols and formats are:
1) CEF over SYSLOG - TCP
2) CEF over SYSLOG - UDP
5) CSV over SYSLOG - TCP
6) CSV over SYSLOG - UDP
7) JSON over HTTPS
8) XML over HTTPS
9) XML over SYSLOG - TCP
10) XML over SYSLOG - UDP

Welcome to the FireEye App for Splunk Enterprise

Detailed configuration guide with screenshots, available here: https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for-splunk-enterprise.pdf

Important Notes

  • Only the app is installed on the search head, TA (below) is installed on everything else
  • When using CEF or CSV, send events from the LMS appliances -- not from the CM appliance
  • Start with a simple format (TCP SYSLOG CEF) and move to a more complex one if needed (TCP SYSLOG JSON)
  • If sending from CM, only XML and JSON normal will work. JSON and XML concise does not send originating appliance.
  • Even though XML is possible, it consumes a lot of browser memory for large events. We recommend JSON over XML.
  • Check out the configuration guide in the link above
  • Updating the app does not reset the Ack notes. Removing and re-installing does...
  • Email all feedback, bugs, and feature requests directly to Tony.Lee-at-FireEye.com
  • Setting up ETP:
  • The HX appliance logging cannot be set from the GUI as of right now, please use the CLI:
    hostname # logging <remote-ip-address> trap none
    hostname # logging <remote-ip-address> trap override class cef priority info
    hostname # write mem


The Technology add-on for this app is found here:


Supported protocols and corresponding sourcetypes are the following.

Protocol/format Sourcetype
1) CEF over SYSLOG - TCP fe_cef_syslog
2) CEF over SYSLOG - UDP fe_cef_syslog
3) JSON over SYSLOG - TCP fe_json_syslog
4) JSON over SYSLOG - UDP fe_json_syslog
5) CSV over SYSLOG - TCP fe_csv_syslog
6) CSV over SYSLOG - UDP fe_csv_syslog
7) JSON over HTTPS fe_json
8) XML over HTTPS fe_xml
9) XML over SYSLOG - TCP fe_xml_syslog
10) XML over SYSLOG - UDP fe_xml_syslog
HX Endpoint Appliance hx_cef_syslog
Threat Analytics Platform (TAP) fe_tap_json
Email Threat Prevention (ETP) fe_etp

Work Arounds

  • If you are running the Splunk Enterprise Security app, it is still shipping with our old TA so you will get some errors about failed lookups. We are working with them to update the TA. For a quick fix, disable the TA-fireeye add-on.
  • If you are running the Palo Alto Networks app and the FireEye app, change the PANW LOOKUP object share permission to App instead of Global -- Big thanks goes to Jeff Wolach of Sinnott Wolach Technology Group for troubleshooting the issue.

Enterprise Security Fix:

Apps -&gt; Manage Apps  
Next to "Splunk Add-on for Fireeye" -&gt; Status -&gt; "Disable"

Palo Alto Fix:

Apps -&gt; Manage Apps  
Next to "Splunk for Palo Alto Networks" -&gt; View objects  
Type "lookup" in the search box top right  
Next to "pan_vendor_info_lookup" -&gt; Permissions -&gt; This app only  
Next to "default : LOOKUP-vendor_info_for_pan_config" -&gt; Permissions -&gt; This app only


This app is designed for both a SOC/NOC environment as well as analysts:
- Analytics menu - Dashboards designed based on customer feedback to display analytics and trending that matter most to them
- Visualization menu - Dashboards designed to be projected or displayed on a large heads-up display monitor
- Analysis menu - Dashboards designed to be used by the analysts themselves - provides more event detail and drilldown capability
- Help menu - Contains appliance health check, setup menu, and documentation
- Splunk menu - Traditional Splunk options

Upgrading from versions prior to 3.0.x

Note: This is a complete rewrite of the Splunk App for FireEye v2 to take advantage of the Common Information Model (CIM). It is designed to be compatible with the data models in the CIM app and Enterprise Security 3.x.
You will be able to run the legacy 2.0.X Splunk App for FireEye alongside this version, but it is unnecessary. This app should render both old and new data.


Most users will be able to download and install the application from the Splunk Apps Marketplace. However, more complex installations may require an additional download.
As with any Splunk app, there are 2 parts:

  1. Data collection
  2. Data visualization/analytics


For ease of installation and use, the FireEye App for Splunk v3 is configured for all data collection by default. For more complex installations, you may require an extra app known as a Technology Add-on (TA). TAs are responsible for collecting data and usually do not have any visualizations.
For most installations, this app download contains all of the necessary components. All others will know what to do. We made the TA available for separate downloaded to collect data for the various FireEye products.


The previous Splunk App for FireEye only supported, XML over HTTPS. This version supports many different options for format and protocol. Please see the top of this page for the detailed configuration guide.


If you want to query the FireEye data using Data Models, then download and install the Common Information Model app.

Questions and feature requests (FireEye app specific): Tony.Lee -at- FireEye.com

Release Notes

Version 3.1.1
Jan. 13, 2017

- CM can send data to Splunk app using SYSLOG - JSON and XML Normal (confirmed operational for NX, EX, AX) - JSON Recommended over XML due to lower browser memory usage
- Parsing and displaying EX subject using fe_xml_syslog and fe_json_syslog (JSON and XML Normal verbosity not concise) - JSON is better than XML
- Moved syslog stripping for JSON to the fe_json_syslog stanzas and out of the syslog stanza
- NX visualization - Added Dest GeoIP map
- EX Analytics - Added panels for top 20 MD5 hashes and top 20 malware URLs
- Removed the syslog stanza (in props.conf) to improve overall parsing - If you need it, just re-enable it
- Removed _raw from the drop down in the dashboards - For XML and JSON, it was too much information
- Stripped the syslog header for fe_xml_syslog and changed kv_mode to XML. Commented our due to performance.
- FireEye Security Orchestrator integration and tasking Pivoting -> FSO Tasking
- fe_cef_syslog - rt now sets _time
- Hid the comprehensive dashboards

Version 3.0.9
Aug. 21, 2016

Feature Requests:
- App now supports ETP (Email Threat Prevention [Cloud])
- Instructions coming soon - Otherwise, email us via the Help -> Send Feedback link in the app
- App now supports IA Pivoting
- Created Pivoting tab
- Added IA Web Pivoting
- Added IA Email Pivoting
- Moved PX Pivoting to newly created Pivoting menu
- Added Analytics dashboards for all appliances

Bug fixes
- Fixed Wild card and ID filters in NX dashboard
- Fixed Links to product documentation

Version 3.0.8
July 20, 2016

Feature requests:
- Added ability to acknowledge events and add notes (NX, EX, AX, FX, HX) (Toolbox -> Acknowledge events)
Note: Ack flags and notes in the KV Store stays intact upon app upgrades. They are lost when the app is deleted and reinstalled.
- Added ability to filter based on acknowledged events
- HX has enhanced filtering to enable easier event ack and easier downloading of redline .mans files
- Changed appliance names on analytics dashboard
- Updated VTLookup - includes working event link and autosubmit of URL if not present
- Removed Source and Sourcetype columns from all dashboards

Version 3.0.7
Aug. 23, 2015

Feature requests:
- Creation of Toolbox section that contains VT Lookup page - ** Remember to delete local/data/ui/nav/default.xml and restart splunk so you can see new menu! **
- Added fields for Email CIM compliance - http://docs.splunk.com/Documentation/CIM/latest/User/Email
- Added Base64 conversion tool to Toolbox
- Added URL decoding tool to Toolbox
- Created default TAP analytics page
- Updated the Getting Started page

Bug fixes:
- json over HTTPS _time field was incorrect due to Splunk parsing the appliance-id field - Uncommented TIME_PREFIX and TIME_FORMAT fields. Thanks to Scott and Craig for noticing this issue.
- Removed bad field alias src as src for fe_cef_syslog and fe_csv_syslog
- fix_FireEye_JSON_in was missing from the TRANSFORMS-updateFireEyeIndex
- Fixed the daily analytics report. Apparently Splunk v6.2 does not like: row grouping="7"

Version 3.0.6
April 16, 2015

Feature requests:
- PX integration - Can pivot based on time, SRC and DEST IP, SRC and DEST PORT
- Now supports HX 2.5 notification format - REGEX=.*:\sCEF\:\d\|fireeye\|hx\|
- Changed VT Lookup to use external script instead of Splunk lookup - it is faster and OS independent
- VT Lookup can now accept URLs and IPs
- Created TAP comprehensive dashboard
- Updated comprehensive dashboards
- Exposed Event ID box - useful for manual entry

Bug fixes:
- Changed analytics pages to more clearly request community feedback

Version 3.0.5
March 13, 2015

Feature requests:
- Added VirusTotal Lookups for MD5 Hashes! - Thanks to Keith Tyler, Jose Hernandez, and Ian Ahl
- Made VirusTotal view accept user input -- can accept any hash even if event did not occur
- Added Metrics under Help -> Metrics - Thanks goes to Josh Tornetta
- Added JSON over Syslog
- Added Appliance Health check visualization chart (Help -> FireEye Appliance Health)
- FireEye analyics and all visualization dashboards auto refresh every hour (refresh="3600")
- Optional indexing made easier (Uncomment #TRANSFORMS-updateFireEyeIndex in props.conf)
- Added parsing of IPS signature name - eval signature=coalesce (signature, sig_name)
- Added percentage to key vizualization charts
- Standardized chart colors for severity (Color mapping is now consistent) - <option name="charting.fieldColors">{crit:0xFF1300,majr:0xFFDA00,minr:0x3C04F2}</option>

Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events
- Set linemerge=true for [syslog] props

Version 3.0.4
Jan. 22, 2015

- Integrated TAP - Created dashboards and process to consume data
- Released FireEye_v3 TA
- Fixed transforms.conf to be universal notification parser ("Default send as" does not matter anymore). REGEX=.*fenotify.*alert\: -> REGEX=.*fenotify.*\:
- setup.xml tested and certified for Windows Splunk instances (No longer BETA)
- Corrected syslog cef host field for UTC time zone (FIELDALIAS-host_for_fireeye = dvc as host)
- Fixed occurred bug for xml over syslog -> EXTRACT-occurred_for_fireeye = <occurred>(?<occurred>.{1,25})</occurred>
- Documented bug that was affecting non-FE syslog packets [syslog] #TRUNCATE=0, #SHOULD_LINEMERGE = false, #LINE_BREAKER = ((?!))

Version 3.0.3
Oct. 9, 2014

- Forced to change the folder to FireEye_v3 -- app upload constraints tightened by Splunk
- Fixed issue with FireEye 7.2 and 7.4 XML SYSLOG parsing - More granular regex operations
- Added tags.conf to enable pivot tables
- Changed start screen to Analytics dashboard instead of search default='true' in nav/default.xml
- Enabled auto notification for updates to the FireEye app (check_for_updates = 1 in app.conf)
- Made "Enter" key work for search filter searchWhenChanged="true" in dashboards
- Clear filter button - just backspace and enter now
- Added hyperlink to analysis dashboards from total count in anayltics dashboard CDATA hyperlink
- Added CM Visualization dashboard
- Added first stab at NX Analytics dashboard
- Added daily report for Analytics dashboard - Converted to dashboard, created savedsearches.conf, added setup.conf
- disabled auto run of setup until we work out bugs for Windows Splunk instances - is_configured = true

Version 3.0.1
Aug. 20, 2014

Changed app.conf file to make is_configred = true. This should prevent the setup screen from kicking off until we work out the bug.

Version 3.0.0
Aug. 19, 2014

Latest version of the Splunk App for FireEye -- version 3.0.0


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.