When you should not use this TA:
This Technology Add-on (TA) is not necessary for simple Splunk installations (e.g. Single Splunk install -- no forwarders or separate indexers)
Instead just install the app located here: https://apps.splunk.com/app/1845
When you should use this TA:
This TA supports the FireEye_v3 app. It does not contain any dashboards and should be installed on Splunk indexers while the app itself installed on the search head.
- CM can send data to Splunk app using SYSLOG - JSON and XML Normal (confirmed operational for NX, EX, AX) - JSON Recommended over XML due to lower browser memory usage
- Parsing and displaying EX subject using fe_xml_syslog and fe_json_syslog (JSON and XML Normal verbosity not concise) - JSON is better than XML
- Moved syslog stripping for JSON to the fe_json_syslog stanzas and out of the syslog stanza
- NX visualization - Added Dest GeoIP map
- EX Analytics - Added panels for top 20 MD5 hashes and top 20 malware URLs
- Removed the syslog stanza (in props.conf) to improve overall parsing - If you need it, just re-enable it
- Removed _raw from the drop down in the dashboards - For XML and JSON, it was too much information
- Stripped the syslog header for fe_xml_syslog and changed kv_mode to XML. Commented our due to performance.
- FireEye Security Orchestrator integration and tasking Pivoting -> FSO Tasking
- fe_cef_syslog - rt now sets _time
- Hid the comprehensive dashboards
- App now supports ETP (Email Threat Prevention [Cloud])
- App now supports IA Pivoting
- Created Pivoting tab
- Added IA Web Pivoting
- Added IA Email Pivoting
- Moved PX Pivoting to newly created Pivoting menu
- Added Analytics dashboards for all appliances
- Fixed Wild card and ID filters in NX dashboard
- Fixed Links to product documentation
- Added ability to acknowledge events and add notes (NX, EX, AX, FX, HX) (Toolbox -> Acknowledge events)
Note: Ack flags and notes in the KV Store stays intact upon app upgrades. They are lost when the app is deleted and reinstalled.
- Added ability to filter based on acknowledged events
- HX has enhanced filtering to enable easier event ack and easier downloading of redline .mans files
- Changed appliance names on analytics dashboard
- Updated VTLookup - includes working event link and autosubmit of URL if not present
- Removed Source and Sourcetype columns from all dashboards
- Added fields for Email CIM compliance - http://docs.splunk.com/Documentation/CIM/latest/User/Email
- Creation of Toolbox section that contains VT Lookup page - remember to delete local/data/ui/nav/default.xml and restart splunk
- Added Base64 conversion tool to Toolbox
- Added URL decoding tool to Toolbox
- Created default TAP analytics page
- Updated the Getting Started page
- json over HTTPS _time field was incorrect due to Splunk parsing the appliance-id field - Uncommented TIME_PREFIX and TIME_FORMAT fields. Thanks to Scott and Craig for noticing this issue.
- Removed bad field alias src as src for fe_cef_syslog and fe_csv_syslog
- fix_FireEye_JSON_in was missing from the TRANSFORMS-updateFireEyeIndex
- Fixed the daily analytics report. Apparently Splunk v6.2 does not like: row grouping="7"
- PX integration - Can pivot based on time, SRC and DEST IP, SRC and DEST PORT
- Now supports HX 2.5 notification format - REGEX=.*:\sCEF\:\d\|fireeye\|hx\|
Matches FireEye app version 3.0.4
Fixes icon issue
v3.0.3 - First version of TA to match the FireEye_v3 app
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.