icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading FireEye Add-on for Splunk Enterprise
SHA256 checksum (fireeye-add-on-for-splunk-enterprise_311.tgz) a85f9d748310102027dc73875f2b89d7840050b3e92ef8efd7bb2ab133ae3174 SHA256 checksum (fireeye-add-on-for-splunk-enterprise_309.tgz) d3850e6fc1d1b8c7e5d553827e6c724e8d68053dcec45317534d5a1b8dd3d010 SHA256 checksum (fireeye-add-on-for-splunk-enterprise_308.tgz) ba9ebba8da37cbaf3c24f6815836725df8d9ded19c644d9e316c8bd41b6156c4 SHA256 checksum (fireeye-add-on-for-splunk-enterprise_307.tgz) be9d91b1fcb2a970cd4e0febea29d5c86b7bdaa9f13252b8e509aec775d29085 SHA256 checksum (fireeye-add-on-for-splunk-enterprise_306.tgz) 51f24fe1f1ca6d8419a902616364ea3543633291b6ea5b3a288a048b1dac3f6a SHA256 checksum (fireeye-add-on-for-splunk-enterprise_304.tgz) ea81b3de87b2eaf92a7f00b2f164b451d3db6ba2969073ac66682a94d8b2f4ed SHA256 checksum (fireeye-add-on-for-splunk-enterprise_303.tgz) 31df3ceff69fba9212ff8ae7b169dc0d59d5494c6d8030087b03aa377b557af9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

FireEye Add-on for Splunk Enterprise

Overview
Details
FireEye TA to support the FireEye_v3 app found here: https://apps.splunk.com/app/1845/

App walk-through video:
http://youtu.be/-KBN1Xvqe6U

Supported FireEye Appliances are:
- Network Threat Prevention Platform ( NX Series )
- Email Threat Prevention Platform (EX Series)
- Forensic Analysis Platform (AX Series)
- Content Threat Prevention Platform (FX Series)
- Endpoint Threat Prevention Platform (HX Series)
- Network Forensics Platform (PX Series)
- Threat Analytics Platform (TAP)

Supported protocols and formats are:
1) JSON over HTTPS
2) XML over HTTPS
3) CEF over SYSLOG - TCP
4) CEF over SYSLOG - UDP
5) XML over SYSLOG - TCP
6) XML over SYSLOG - UDP
7) JSON over SYSLOG - TCP
8) JSON over SYSLOG - UDP
9) CSV over SYSLOG - TCP
10) CSV over SYSLOG - UDP

When you should not use this TA:
This Technology Add-on (TA) is not necessary for simple Splunk installations (e.g. Single Splunk install -- no forwarders or separate indexers)
Instead just install the app located here: https://apps.splunk.com/app/1845

When you should use this TA:
This TA supports the FireEye_v3 app. It does not contain any dashboards and should be installed on Splunk indexers while the app itself installed on the search head.

Release Notes

Version 3.1.1
Jan. 13, 2017

v3.1.1
- CM can send data to Splunk app using SYSLOG - JSON and XML Normal (confirmed operational for NX, EX, AX) - JSON Recommended over XML due to lower browser memory usage
- Parsing and displaying EX subject using fe_xml_syslog and fe_json_syslog (JSON and XML Normal verbosity not concise) - JSON is better than XML
- Moved syslog stripping for JSON to the fe_json_syslog stanzas and out of the syslog stanza
- NX visualization - Added Dest GeoIP map
- EX Analytics - Added panels for top 20 MD5 hashes and top 20 malware URLs
- Removed the syslog stanza (in props.conf) to improve overall parsing - If you need it, just re-enable it
- Removed _raw from the drop down in the dashboards - For XML and JSON, it was too much information
- Stripped the syslog header for fe_xml_syslog and changed kv_mode to XML. Commented our due to performance.
- FireEye Security Orchestrator integration and tasking Pivoting -> FSO Tasking
- fe_cef_syslog - rt now sets _time
- Hid the comprehensive dashboards

Version 3.0.9
Aug. 21, 2016

v3.0.9
Feature Requests:
- App now supports ETP (Email Threat Prevention [Cloud])
- App now supports IA Pivoting
- Created Pivoting tab
- Added IA Web Pivoting
- Added IA Email Pivoting
- Moved PX Pivoting to newly created Pivoting menu
- Added Analytics dashboards for all appliances

Bug fixes
- Fixed Wild card and ID filters in NX dashboard
- Fixed Links to product documentation

Version 3.0.8
July 20, 2016

v3.0.8
Feature requests:
- Added ability to acknowledge events and add notes (NX, EX, AX, FX, HX) (Toolbox -> Acknowledge events)
Note: Ack flags and notes in the KV Store stays intact upon app upgrades. They are lost when the app is deleted and reinstalled.
- Added ability to filter based on acknowledged events
- HX has enhanced filtering to enable easier event ack and easier downloading of redline .mans files
- Changed appliance names on analytics dashboard
- Updated VTLookup - includes working event link and autosubmit of URL if not present
- Removed Source and Sourcetype columns from all dashboards

Version 3.0.7
Aug. 23, 2015

v3.0.7
Feature requests:
- Added fields for Email CIM compliance - http://docs.splunk.com/Documentation/CIM/latest/User/Email
- Creation of Toolbox section that contains VT Lookup page - remember to delete local/data/ui/nav/default.xml and restart splunk
- Added Base64 conversion tool to Toolbox
- Added URL decoding tool to Toolbox
- Created default TAP analytics page
- Updated the Getting Started page

Bug fixes:
- json over HTTPS _time field was incorrect due to Splunk parsing the appliance-id field - Uncommented TIME_PREFIX and TIME_FORMAT fields. Thanks to Scott and Craig for noticing this issue.
- Removed bad field alias src as src for fe_cef_syslog and fe_csv_syslog
- fix_FireEye_JSON_in was missing from the TRANSFORMS-updateFireEyeIndex
- Fixed the daily analytics report. Apparently Splunk v6.2 does not like: row grouping="7"

Version 3.0.6
April 17, 2015

v3.0.6
Feature requests:
- PX integration - Can pivot based on time, SRC and DEST IP, SRC and DEST PORT
- Now supports HX 2.5 notification format - REGEX=.*:\sCEF\:\d\|fireeye\|hx\|

Version 3.0.4
Jan. 23, 2015

Matches FireEye app version 3.0.4
Fixes icon issue

Version 3.0.3
Nov. 12, 2014

v3.0.3 - First version of TA to match the FireEye_v3 app

982
Installs
4,867
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.