This app is for Splunk v5 and prior. Try our new app designed to work for Splunk v6 at [http://apps.splunk.com/app/1845/]. We are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!
FireEye cyber security products combat today's advanced persistent threats (APTs). As an integral piece of an Adaptive Defense strategy, our state-of-the-art network security offerings protect against cyber attacks that bypass traditional signature-based tools such as antivirus software, next-generation firewalls, and sandbox tools
Version 2.0 of the app was designed to take data from FireEye's XML output. It allows for deeper investigations then CEF formatted, syslog data.
**Update: This app is for Splunk v5 and prior. Try our new app designed to work for Splunk v6 at http://apps.splunk.com/app/1845/. We are accepting user feedback at: Tony.Lee -at- FireEye.com. Thanks!
This app can be installed on Splunk v6 using the instructions found here: http://securitysynapse.com/2014/05/stopgap-splunk-for-fireeye-v2-app.html
However, this app is designed to work on Splunk 4.3.x and 5.x due to its heavy use of HTML 5 dashboards. A new app will be written from scratch to take advantage of new Splunk v6 features. For any help or feedback for this app please post your questions to answers.splunk.com and add the FireEye tag your question
The 1.x versions of this app relied on the syslog data from FireEye devices. The views, dashboards and extractions in the current app rely on the XML output format from FireEye. While the previous version's views and dashboards are included in this app, they have not been tested with the XML data format. If you really want the previous dashboards, we suggest that you not upgrade to version 2.x. OR you can customize the older views to match the fileds based on the XML.
You will have to configure the FireEye to export event via http, xml in order for this app to work. Please see the FireEye Config section below for details. Short version: The http location for the FireEye log forwarding is to be of the form below:
You should replace 'localhost', above with the name of your splunk server. Do Not change the sourcetype or the index parameters above. They will break the dashboards and extractions.
-- There is nothing on the main page.
\- The main overview page is a realtime view. So if you don't have events in the last 5 minutes. The dashboards will be empty
-- The Malware overview page has an empty dashboard for the Business Units impacted
\- The business Unit chart works off a lookup table. You will have to create/use a lookup table that is built for your environment. The lookup table used by default is located at $SPLUNK_HOME/etc/apps/FireEye/lookups/asset_lookup.csv. For more detail on lookup tables please see this link:
-- Browser hangs on certain searches with very large events.
\- In very rare cases, for very large events, in excess of 2 Mb. the web browser hangs when attempting to return the event in the Events list.
\- Use the table command to use the table view with specific fields instead of the entire event. e.g. alert_id=1234 | table malware_name src_ip dst_ip
The app requires the following Splunk Apps available from Splunk Base :
- Splunk for Google Maps
- Splunk for Geo Location Lookup Script
You do not need to install these apps if you do not wish to use the Apps mapping and geo location features. The main dashboard will not render properly without the above apps.
Ensure that the apps listed in the Dependencies section are installed.
Installing via the Web UI :
Go to Manager -> Apps -> Find more apps online: search for fireeye -> Click on the 'Install Free' link below the FireEye app (not the TA-fireeye) -> Ready to install Page -> Install
Check the Upgrade button if you have an older version installed
Installing from command line:
- Unpack the fireeye.spl file using: tar -vxzf fireeye.spl.
- Move the resulting FireEye directoryinto $SPLUNK_HOME/etc/apps
- Restart Splunk
You will have to modify your FireyEye's logging configuration to send the
logs to Splunk in xml via http. To do this, on your FireEye appliance, go
to the Settings menu Tab, then Notifications on the left side submenu.
Select http from the Protocol options.
In the HTTP Configuration Server Listing configuration, enter a name value
and click Add HTTP Server. You will see your newly added server name
listed below. Populate the values appropriately:
Server Url :
- You must replace the "SplunkServerIP" with correct IP of your Splunk
server instance, it is also recommended that you replace
"FireEyeServerName" with the host name of FireEye MPS system from which
alerts will be sent from.
Auth : Must be checked
Username : Enter your Splunk login username
Password: Enter your Splunk login password
Notifications : Select All Events (recommended)
Delivery : Select Per Event (recommended)
SSL Enable : Must be selected
Message Format : XML Extended ( recommended, but any XML option can be
Lastly, you should disable the syslog or any other notifications to
Splunk; unless you want the notifications ingested twice.
As Splunk indexes your FireEye data, the app will rename the sourcetypes to FireEye_CEF, for the standard syslog, CEF format and fe_xml for the XML data.
In order to get the XML data into Splunk you will have to modify your FireEye appliance by going to the Notifications section in the appliance's web ui, select http and XML for the format. The URL will be of the form below, except replace localhost with the name of your splunk server. You can also replace the source=FE_test with the name you want for your FireEye. The index=fe and the sorucetype=fe_xml should not be changed. the dashboards and views rely on the fe index and the fe_xml source type being present.
The dashboards rely on the search macros for views. These macros are defined in $SPLUNK_HOME/etc/apps/SplunkforFireEye/default/macros.conf.
You should only edit the base macros. Base Macros begin with BASE in their name. E.g. BASE-FireEye_index. If you already have data that has been indexed as a different sourcetype, add your sourcetype to the definition. For example:
definition = sourcetype="fe_xml" OR sourcetype="foo" OR sourcetype="bar"
Important: All other macros should not be edited.
Lookups are provided for a sample environment to resolve IP addresses machine hostnames to Users and business units. The lookup will have to be modified to fit your environment.
Using the form fields on the dashboards
All the dashboards work without any filtering values for the form fields. If you want to filter based on a field you should use asterisks before and after the search terms unless you are absolutely sure of the filter value. e.g. you can use 172.168. for IP addresses or Trojan for malware names.
Keep in mind that searches that have longer time ranges may take a little longer to return the results.
Support and Help
If you require some help with the app or have questions, please post to answers.splunk.com and add the FireEye tag your question