icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading FireEye
SHA256 checksum (fireeye_208.tgz) 2d835147ca4698fe2525c9be11ad07fd25054e0bda2d1b305585eff0a91afb66 SHA256 checksum (fireeye_207.tgz) f1795ac0ff3201b4a06c6c1cac30f90a57b4d69fcc19241baea66142d1ebb9fa SHA256 checksum (fireeye_206.tgz) 68a19b7663d3edb45edec48936f94ef8fea8921688878654120eb771a5b38f95 SHA256 checksum (fireeye_205.tgz) b37ab8157c8bbb4f6c9579e09a20b6a6d2a5a12d4ef3cc43c67d3086cbcc208b SHA256 checksum (fireeye_204.tgz) f3c84c1967b1745c0efa3750aea6035c8b66c0329192d16aa24c4548ab87b017 SHA256 checksum (fireeye_203.tgz) a46f1992b5f9a1ee3048416aaa6a88830d851d9e7ac6b998eaa46472466fb8c5 SHA256 checksum (fireeye_202.tgz) e192b97b68c5c68df15032e652addb0f6e41d8ff0ef8ae53034fb6bfdc34c93c SHA256 checksum (fireeye_201.tgz) b198ba6cce14786bffd56db97ef3d0996ef87f84de01540b6752de3edcffd140 SHA256 checksum (fireeye_20.tgz) 74b5799cba1b4906f1c79282141a008672ec6eb12ef5052b3e3b8fbe02e0c3fe SHA256 checksum (fireeye_12.tgz) 76025cf31e50811a8ed7711410b49b832791cc1ecbedfa8bf0e6e0a8996350d5
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

FireEye

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
**Update:
This app is for Splunk v5 and prior. Try our new app designed to work for Splunk v6 at [http://apps.splunk.com/app/1845/]. We are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!

FireEye cyber security products combat today's advanced persistent threats (APTs). As an integral piece of an Adaptive Defense strategy, our state-of-the-art network security offerings protect against cyber attacks that bypass traditional signature-based tools such as antivirus software, next-generation firewalls, and sandbox tools

Version 2.0 of the app was designed to take data from FireEye's XML output. It allows for deeper investigations then CEF formatted, syslog data.

IMPORTANT

**Update:
This app is for Splunk v5 and prior. Try our new app designed to work for Splunk v6 at http://apps.splunk.com/app/1845/. We are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!

This app can be installed on Splunk v6 using the instructions found here: http://securitysynapse.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html

However, this app is designed to work on Splunk 4.3.x and 5.x due to its heavy use of HTML 5 dashboards. A new app will be written from scratch to take advantage of new Splunk v6 features.
For any help or feedback for this app please post your questions to answers.splunk.com and add the FireEye tag your question

The 1.x versions of this app relied on the syslog data from FireEye devices. The views, dashboards and extractions in the current app rely on the XML output format from FireEye. While the previous version's views and dashboards are included in this app, they have not been tested with the XML data format. If you really want the previous dashboards, we suggest that you not upgrade to version 2.x. OR you can customize the older views to match the fileds based on the XML.

You will have to configure the FireEye to export event via http, xml in order for this app to work. Please see the FireEye Config section below for details. Short version: The http location for the FireEye log forwarding is to be of the form below:

https://localhost:8089/services/receivers/simple?source=FE_test&sourcetype=fe_xml&index=fe

You should replace 'localhost', above with the name of your splunk server. Do Not change the sourcetype or the index parameters above. They will break the dashboards and extractions.

Common Issues

-- There is nothing on the main page.
\- The main overview page is a realtime view. So if you don't have events in the last 5 minutes. The dashboards will be empty

-- The Malware overview page has an empty dashboard for the Business Units impacted
\- The business Unit chart works off a lookup table. You will have to create/use a lookup table that is built for your environment. The lookup table used by default is located at $SPLUNK_HOME/etc/apps/FireEye/lookups/asset_lookup.csv. For more detail on lookup tables please see this link:

-- Browser hangs on certain searches with very large events.
\- In very rare cases, for very large events, in excess of 2 Mb. the web browser hangs when attempting to return the event in the Events list.
\- Use the table command to use the table view with specific fields instead of the entire event. e.g. alert_id=1234 | table malware_name src_ip dst_ip

Dependencies

The app requires the following Splunk Apps available from Splunk Base :

- Splunk for Google Maps
- Splunk for Geo Location Lookup Script

You do not need to install these apps if you do not wish to use the Apps mapping and geo location features. The main dashboard will not render properly without the above apps.

Installing

Ensure that the apps listed in the Dependencies section are installed.

Installing via the Web UI :
Go to Manager -> Apps -> Find more apps online: search for fireeye -> Click on the 'Install Free' link below the FireEye app (not the TA-fireeye) -> Ready to install Page -> Install
Check the Upgrade button if you have an older version installed

Installing from command line:
- Unpack the fireeye.spl file using: tar -vxzf fireeye.spl.
- Move the resulting FireEye directoryinto $SPLUNK_HOME/etc/apps
- Restart Splunk

FireEye Config

You will have to modify your FireyEye's logging configuration to send the
logs to Splunk in xml via http. To do this, on your FireEye appliance, go
to the Settings menu Tab, then Notifications on the left side submenu.
Select http from the Protocol options.

In the HTTP Configuration Server Listing configuration, enter a name value
and click Add HTTP Server. You will see your newly added server name
listed below. Populate the values appropriately:

Server Url :

ame&sourcetype=fe_xml&index=fe

  • You must replace the "SplunkServerIP" with correct IP of your Splunk
    server instance, it is also recommended that you replace
    "FireEyeServerName" with the host name of FireEye MPS system from which
    alerts will be sent from.

Auth : Must be checked

Username : Enter your Splunk login username

Password: Enter your Splunk login password

Notifications : Select All Events (recommended)

Delivery : Select Per Event (recommended)

SSL Enable : Must be selected

Message Format : XML Extended ( recommended, but any XML option can be
used)

Lastly, you should disable the syslog or any other notifications to
Splunk; unless you want the notifications ingested twice.

Source types

As Splunk indexes your FireEye data, the app will rename the sourcetypes to FireEye_CEF, for the standard syslog, CEF format and fe_xml for the XML data.

In order to get the XML data into Splunk you will have to modify your FireEye appliance by going to the Notifications section in the appliance's web ui, select http and XML for the format. The URL will be of the form below, except replace localhost with the name of your splunk server. You can also replace the source=FE_test with the name you want for your FireEye. The index=fe and the sorucetype=fe_xml should not be changed. the dashboards and views rely on the fe index and the fe_xml source type being present.

https://localhost:8089/services/receivers/simple?source=FE_test&sourcetype=fe_xml&index=fe

Search macros

The dashboards rely on the search macros for views. These macros are defined in $SPLUNK_HOME/etc/apps/SplunkforFireEye/default/macros.conf.

You should only edit the base macros. Base Macros begin with BASE in their name. E.g. BASE-FireEye_index. If you already have data that has been indexed as a different sourcetype, add your sourcetype to the definition. For example:

definition = sourcetype="fe_xml" OR sourcetype="foo" OR sourcetype="bar"

Important: All other macros should not be edited.

Lookups

Lookups are provided for a sample environment to resolve IP addresses machine hostnames to Users and business units. The lookup will have to be modified to fit your environment.

Using the form fields on the dashboards

All the dashboards work without any filtering values for the form fields. If you want to filter based on a field you should use asterisks before and after the search terms unless you are absolutely sure of the filter value. e.g. you can use 172.168. for IP addresses or Trojan for malware names.

Keep in mind that searches that have longer time ranges may take a little longer to return the results.

Support and Help

If you require some help with the app or have questions, please post to answers.splunk.com and add the FireEye tag your question

Release Notes

Version 2.0.8
May 22, 2014

If your app is working as expected, there is no need to update as there are no feature enhancements. This release is intended to fix a problem with some of the dashboards not displaying properly.

Patch to fix the FireEye Overview and Malware Overview dashboards.
- This patch should also enable the app to work with FireEye OS 6.x and 7.x wMPS appliances (accounting for "pretty print" XML in FE OS 7.1)
- Splunk v6 installation possible when following the instructions found here: http://securitysynapse.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html

Version 2.0.7
July 9, 2013

Fixed: Unpacking the compressed archive was producing hidden files

Version 2.0.6
April 22, 2013

various fixes

Version 2.0.5
Sept. 28, 2012

Fixed bug in field extractions for mac addresses. Many Thanks to John Dunlea

Version 2.0.4
Sept. 28, 2012

Fixed: field filtering not working in Analysis view

Version 2.0.3
Sept. 27, 2012

Fixed a variety of bugs related to field extractions. Macro Fixes. And Search Optimizations. Also updated the README and Install instructions.

Version 2.0.2
Sept. 12, 2012

fixed splunk crashing issue due to index naming issues.

Version 2.0.1
Sept. 11, 2012

Minor changes in the README. Credit Bart Grantham

Version 2.0
Sept. 11, 2012

Release 2.0

Takes in logs from the FireEye XML output.

Version 1.2
Nov. 5, 2010

README: if upgrading, it is recommended that you rename metadata/local.meta to metadata/local.meta.bak

- updated default app permissions

62
Installs
3,328
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.