FireEye Add-on for Splunk Enterprise
Overview
Details
App walk-through video:
http://youtu.be/-KBN1Xvqe6U
Supported FireEye Appliances are:
- Network Threat Prevention Platform ( NX Series )
- Email Threat Prevention Platform (EX Series)
- Forensic Analysis Platform (AX Series)
- Content Threat Prevention Platform (FX Series)
- Endpoint Threat Prevention Platform (HX Series)
- Network Forensics Platform (PX Series)
- Threat Analytics Platform (TAP)
Supported protocols and formats are:
1) JSON over HTTPS
2) XML over HTTPS
3) CEF over SYSLOG - TCP
4) CEF over SYSLOG - UDP
5) XML over SYSLOG - TCP
6) XML over SYSLOG - UDP
7) JSON over SYSLOG - TCP
8) JSON over SYSLOG - UDP
9) CSV over SYSLOG - TCP
10) CSV over SYSLOG - UDP
When you should not use this TA:
This Technology Add-on (TA) is not necessary for simple Splunk installations (e.g. Single Splunk install -- no forwarders or separate indexers)
Instead just install the app located here: https://apps.splunk.com/app/1845
When you should use this TA:
This TA supports the FireEye_v3 app. It does not contain any dashboards and should be installed on Splunk indexers while the app itself installed on the search head.
Release Notes
Version 3.1.1
v3.1.1
- CM can send data to Splunk app using SYSLOG - JSON and XML Normal (confirmed operational for NX, EX, AX) - JSON Recommended over XML due to lower browser memory usage
- Parsing and displaying EX subject using fe_xml_syslog and fe_json_syslog (JSON and XML Normal verbosity not concise) - JSON is better than XML
- Moved syslog stripping for JSON to the fe_json_syslog stanzas and out of the syslog stanza
- NX visualization - Added Dest GeoIP map
- EX Analytics - Added panels for top 20 MD5 hashes and top 20 malware URLs
- Removed the syslog stanza (in props.conf) to improve overall parsing - If you need it, just re-enable it
- Removed _raw from the drop down in the dashboards - For XML and JSON, it was too much information
- Stripped the syslog header for fe_xml_syslog and changed kv_mode to XML. Commented our due to performance.
- FireEye Security Orchestrator integration and tasking Pivoting -> FSO Tasking
- fe_cef_syslog - rt now sets _time
- Hid the comprehensive dashboards
Version 3.0.9
v3.0.9
Feature Requests:
- App now supports ETP (Email Threat Prevention [Cloud])
- App now supports IA Pivoting
- Created Pivoting tab
- Added IA Web Pivoting
- Added IA Email Pivoting
- Moved PX Pivoting to newly created Pivoting menu
- Added Analytics dashboards for all appliances
Bug fixes
- Fixed Wild card and ID filters in NX dashboard
- Fixed Links to product documentation
Version 3.0.8
v3.0.8
Feature requests:
- Added ability to acknowledge events and add notes (NX, EX, AX, FX, HX) (Toolbox -> Acknowledge events)
Note: Ack flags and notes in the KV Store stays intact upon app upgrades. They are lost when the app is deleted and reinstalled.
- Added ability to filter based on acknowledged events
- HX has enhanced filtering to enable easier event ack and easier downloading of redline .mans files
- Changed appliance names on analytics dashboard
- Updated VTLookup - includes working event link and autosubmit of URL if not present
- Removed Source and Sourcetype columns from all dashboards
Version 3.0.7
v3.0.7
Feature requests:
- Added fields for Email CIM compliance - http://docs.splunk.com/Documentation/CIM/latest/User/Email
- Creation of Toolbox section that contains VT Lookup page - remember to delete local/data/ui/nav/default.xml and restart splunk
- Added Base64 conversion tool to Toolbox
- Added URL decoding tool to Toolbox
- Created default TAP analytics page
- Updated the Getting Started page
Bug fixes:
- json over HTTPS _time field was incorrect due to Splunk parsing the appliance-id field - Uncommented TIME_PREFIX and TIME_FORMAT fields. Thanks to Scott and Craig for noticing this issue.
- Removed bad field alias src as src for fe_cef_syslog and fe_csv_syslog
- fix_FireEye_JSON_in was missing from the TRANSFORMS-updateFireEyeIndex
- Fixed the daily analytics report. Apparently Splunk v6.2 does not like: row grouping="7"
Version 3.0.6
v3.0.6
Feature requests:
- PX integration - Can pivot based on time, SRC and DEST IP, SRC and DEST PORT
- Now supports HX 2.5 notification format - REGEX=.*:\sCEF\:\d\|fireeye\|hx\|
Version 3.0.4
Matches FireEye app version 3.0.4
Fixes icon issue
Version 3.0.3
v3.0.3 - First version of TA to match the FireEye_v3 app