Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading FireEye
MD5 checksum (fireeye_208.tgz) 3ac1224ea5252c579799c9cb70fc0f10 MD5 checksum (fireeye_207.tgz) b2cb0a763a9db29c4d2e6949289b0bf8 MD5 checksum (fireeye_206.tgz) 96e1f9abb8f09b0c0cf2ecdc051795a4 MD5 checksum (fireeye_205.tgz) f4285e80c07e75b47d4dc978199dbc84 MD5 checksum (fireeye_204.tgz) ccc709581c31b00f74beda6a4eda5b50 MD5 checksum (fireeye_203.tgz) 5f65bfa0cdf9b0433a4a803dfeca3eac MD5 checksum (fireeye_202.tgz) 792f4ec5304f7e7f7a4b032bba8b5462 MD5 checksum (fireeye_201.tgz) 3b809922c2b94c1da5862c74ead48332 MD5 checksum (fireeye_20.tgz) 9d850e5a23f9f063212c3af6de0a139d MD5 checksum (fireeye_12.tgz) f75690d913fcbb9a73632483ea84939a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Description required

FireEye

Overview
Details
**Update:
This app is for Splunk v5 and prior. Try our new app designed to work for Splunk v6 at [http://apps.splunk.com/app/1845/]. We are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!

FireEye cyber security products combat today's advanced persistent threats (APTs). As an integral piece of an Adaptive Defense strategy, our state-of-the-art network security offerings protect against cyber attacks that bypass traditional signature-based tools such as antivirus software, next-generation firewalls, and sandbox tools

Version 2.0 of the app was designed to take data from FireEye's XML output. It allows for deeper investigations then CEF formatted, syslog data.

IMPORTANT

**Update:
This app is for Splunk v5 and prior. Try our new app designed to work for Splunk v6 at http://apps.splunk.com/app/1845/. We are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!

This app can be installed on Splunk v6 using the instructions found here: http://securitysynapse.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html

However, this app is designed to work on Splunk 4.3.x and 5.x due to its heavy use of HTML 5 dashboards. A new app will be written from scratch to take advantage of new Splunk v6 features.
For any help or feedback for this app please post your questions to answers.splunk.com and add the FireEye tag your question

The 1.x versions of this app relied on the syslog data from FireEye devices. The views, dashboards and extractions in the current app rely on the XML output format from FireEye. While the previous version's views and dashboards are included in this app, they have not been tested with the XML data format. If you really want the previous dashboards, we suggest that you not upgrade to version 2.x. OR you can customize the older views to match the fileds based on the XML.

You will have to configure the FireEye to export event via http, xml in order for this app to work. Please see the FireEye Config section below for details. Short version: The http location for the FireEye log forwarding is to be of the form below:

https://localhost:8089/services/receivers/simple?source=FE_test&sourcetype=fe_xml&index=fe

You should replace 'localhost', above with the name of your splunk server. Do Not change the sourcetype or the index parameters above. They will break the dashboards and extractions.

Common Issues

-- There is nothing on the main page.
\- The main overview page is a realtime view. So if you don't have events in the last 5 minutes. The dashboards will be empty

-- The Malware overview page has an empty dashboard for the Business Units impacted
\- The business Unit chart works off a lookup table. You will have to create/use a lookup table that is built for your environment. The lookup table used by default is located at $SPLUNK_HOME/etc/apps/FireEye/lookups/asset_lookup.csv. For more detail on lookup tables please see this link:

-- Browser hangs on certain searches with very large events.
\- In very rare cases, for very large events, in excess of 2 Mb. the web browser hangs when attempting to return the event in the Events list.
\- Use the table command to use the table view with specific fields instead of the entire event. e.g. alert_id=1234 | table malware_name src_ip dst_ip

Dependencies

The app requires the following Splunk Apps available from Splunk Base :

- Splunk for Google Maps
- Splunk for Geo Location Lookup Script

You do not need to install these apps if you do not wish to use the Apps mapping and geo location features. The main dashboard will not render properly without the above apps.

Installing

Ensure that the apps listed in the Dependencies section are installed.

Installing via the Web UI :
Go to Manager -> Apps -> Find more apps online: search for fireeye -> Click on the 'Install Free' link below the FireEye app (not the TA-fireeye) -> Ready to install Page -> Install
Check the Upgrade button if you have an older version installed

Installing from command line:
- Unpack the fireeye.spl file using: tar -vxzf fireeye.spl.
- Move the resulting FireEye directoryinto $SPLUNK_HOME/etc/apps
- Restart Splunk

FireEye Config

You will have to modify your FireyEye's logging configuration to send the
logs to Splunk in xml via http. To do this, on your FireEye appliance, go
to the Settings menu Tab, then Notifications on the left side submenu.
Select http from the Protocol options.

In the HTTP Configuration Server Listing configuration, enter a name value
and click Add HTTP Server. You will see your newly added server name
listed below. Populate the values appropriately:

Server Url :

ame&sourcetype=fe_xml&index=fe

  • You must replace the "SplunkServerIP" with correct IP of your Splunk
    server instance, it is also recommended that you replace
    "FireEyeServerName" with the host name of FireEye MPS system from which
    alerts will be sent from.

Auth : Must be checked

Username : Enter your Splunk login username

Password: Enter your Splunk login password

Notifications : Select All Events (recommended)

Delivery : Select Per Event (recommended)

SSL Enable : Must be selected

Message Format : XML Extended ( recommended, but any XML option can be
used)

Lastly, you should disable the syslog or any other notifications to
Splunk; unless you want the notifications ingested twice.

Source types

As Splunk indexes your FireEye data, the app will rename the sourcetypes to FireEye_CEF, for the standard syslog, CEF format and fe_xml for the XML data.

In order to get the XML data into Splunk you will have to modify your FireEye appliance by going to the Notifications section in the appliance's web ui, select http and XML for the format. The URL will be of the form below, except replace localhost with the name of your splunk server. You can also replace the source=FE_test with the name you want for your FireEye. The index=fe and the sorucetype=fe_xml should not be changed. the dashboards and views rely on the fe index and the fe_xml source type being present.

https://localhost:8089/services/receivers/simple?source=FE_test&sourcetype=fe_xml&index=fe

Search macros

The dashboards rely on the search macros for views. These macros are defined in $SPLUNK_HOME/etc/apps/SplunkforFireEye/default/macros.conf.

You should only edit the base macros. Base Macros begin with BASE in their name. E.g. BASE-FireEye_index. If you already have data that has been indexed as a different sourcetype, add your sourcetype to the definition. For example:

definition = sourcetype="fe_xml" OR sourcetype="foo" OR sourcetype="bar"

Important: All other macros should not be edited.

Lookups

Lookups are provided for a sample environment to resolve IP addresses machine hostnames to Users and business units. The lookup will have to be modified to fit your environment.

Using the form fields on the dashboards

All the dashboards work without any filtering values for the form fields. If you want to filter based on a field you should use asterisks before and after the search terms unless you are absolutely sure of the filter value. e.g. you can use 172.168. for IP addresses or Trojan for malware names.

Keep in mind that searches that have longer time ranges may take a little longer to return the results.

Support and Help

If you require some help with the app or have questions, please post to answers.splunk.com and add the FireEye tag your question

Release Notes

Version: 2.0.8

If your app is working as expected, there is no need to update as there are no feature enhancements. This release is intended to fix a problem with some of the dashboards not displaying properly. Patch to fix the FireEye Overview and Malware Overview dashboards. - This patch should also enable the app to work with FireEye OS 6.x and 7.x wMPS appliances (accounting for "pretty print" XML in FE OS 7.1) - Splunk v6 installation possible when following the instructions found here: http://securitysynapse.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html

May 22, 2014, 1:10 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.7

Fixed: Unpacking the compressed archive was producing hidden files

July 9, 2013, 9:03 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.6

various fixes

April 22, 2013, 10:02 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.5

Fixed bug in field extractions for mac addresses. Many Thanks to John Dunlea

Sept. 28, 2012, 4:22 a.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.4

Fixed: field filtering not working in Analysis view

Sept. 28, 2012, 12:09 a.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.3

Fixed a variety of bugs related to field extractions. Macro Fixes. And Search Optimizations. Also updated the README and Install instructions.

Sept. 27, 2012, 7:52 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.2

fixed splunk crashing issue due to index naming issues.

Sept. 12, 2012, 11:35 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0.1

Minor changes in the README. Credit Bart Grantham

Sept. 11, 2012, 5:17 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 2.0

Release 2.0 Takes in logs from the FireEye XML output.

Sept. 11, 2012, 5:46 a.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

Version: 1.2

README: if upgrading, it is recommended that you rename metadata/local.meta to metadata/local.meta.bak - updated default app permissions

Nov. 5, 2010, 6:29 p.m.

Platform Independent

5.0, 4.3, 4.2, 4.1, 4.0

52
Installs
3,075
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
2.0.8
Category
Security, Fraud & Compliance
Product Support
Splunk Enterprise
Content Type
App
Splunk Versions
5.0
Licensing
Creative Commons BY 3.0
Platforms
Platform Independent
Built by
Tony Lee

Subscribe Share

Splunk Certified

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2016 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.