Overview

Details

This is the latest Splunk App for FireEye designed to work with Splunk 8.x.

Supported FireEye Appliances are:
- Detection On Demand (DOD)
- Network Threat Prevention Platform ( NX Series )
- Email Threat Prevention Platform (EX Series)
- Cloud Email Threat Prevention Platform (ETP)
- Forensic Analysis Platform (AX Series)
- Content Threat Prevention Platform (FX Series)
- Endpoint Threat Prevention Platform (HX Series)
- Network Forensics Platform (PX Series)
- Threat Analytics Platform (TAP)
- (Supports pulling alerts and incidents - cannot update records yet)

Supported protocols and formats is:
JSON over HTTPS

Welcome to the FireEye App for Splunk Enterprise

Detailed configuration guide with screenshots, available here: https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for-splunk-enterprise.pdf

Important Notes

Only the app is installed on the search head
Check out the configuration guide in the link above
Updating the app does not reset the Ack notes. Removing and re-installing does...
Email all feedback, bugs, and feature requests directly to integrate@FireEye.com
Setting up ETP:
https://www.fireeye.com/blog/products-and-services/2016/08/fireeye_email_threat.html
The HX appliance logging cannot be set from the GUI as of right now, please use the CLI:
hostname # logging <remote-IP-address> trap none
hostname # logging <remote-IP-address> trap override class cef priority info
hostname # write mem

Sourcetypes

Supported protocols and corresponding sourcetypes are the following.

Protocol/format	Sourcetype
JSON over HTTPS	fe_json
Detection on Demand	fe_dod
HX Endpoint Appliance	hx_cef_syslog
Threat Analytics Platform (TAP)	fe_tap_json
Email Threat Prevention (ETP)	fe_etp

Usage

This app is designed for both a SOC/NOC environment as well as analysts:
- Analytics menu - Dashboards designed based on customer feedback to display analytics and trending that matter most to them
- Visualization menu - Dashboards designed to be projected or displayed on a large heads-up display monitor
- Analysis menu - Dashboards designed to be used by the analysts themselves - provides more event detail and drilldown capability
- Help menu - Contains appliance health check, setup menu, and documentation
- Splunk menu - Traditional Splunk options

Installation

Most users will be able to download and install the application from the Splunk Apps Marketplace. However, more complex installations may require an additional download.
As with any Splunk app, there are 2 parts:

Data collection
Data visualization/analytics

Release Notes

Version 3.8.9

Dec. 21, 2021

Version 3.8.8

July 27, 2021

Version 3.8.6

July 6, 2021

Version 3.7.0

Nov. 20, 2020

Version 3.5.0

Oct. 31, 2020

Version 3.2.2

May 8, 2020

Version 3.2.1

May 6, 2020

Version 3.1.1

Jan. 13, 2017

v3.1.1
- CM can send data to Splunk app using SYSLOG - JSON and XML Normal (confirmed operational for NX, EX, AX) - JSON Recommended over XML due to lower browser memory usage
- Parsing and displaying EX subject using fe_xml_syslog and fe_json_syslog (JSON and XML Normal verbosity not concise) - JSON is better than XML
- Moved syslog stripping for JSON to the fe_json_syslog stanzas and out of the syslog stanza
- NX visualization - Added Dest GeoIP map
- EX Analytics - Added panels for top 20 MD5 hashes and top 20 malware URLs
- Removed the syslog stanza (in props.conf) to improve overall parsing - If you need it, just re-enable it
- Removed _raw from the drop down in the dashboards - For XML and JSON, it was too much information
- Stripped the syslog header for fe_xml_syslog and changed kv_mode to XML. Commented our due to performance.
- FireEye Security Orchestrator integration and tasking Pivoting -> FSO Tasking
- fe_cef_syslog - rt now sets _time
- Hid the comprehensive dashboards

Version 3.0.9

Aug. 21, 2016

v3.0.9
Feature Requests:
- App now supports ETP (Email Threat Prevention [Cloud])
- Instructions coming soon - Otherwise, email us via the Help -> Send Feedback link in the app
- App now supports IA Pivoting
- Created Pivoting tab
- Added IA Web Pivoting
- Added IA Email Pivoting
- Moved PX Pivoting to newly created Pivoting menu
- Added Analytics dashboards for all appliances

Bug fixes
- Fixed Wild card and ID filters in NX dashboard
- Fixed Links to product documentation

Version 3.0.8

July 20, 2016

v3.0.8
Feature requests:
- Added ability to acknowledge events and add notes (NX, EX, AX, FX, HX) (Toolbox -> Acknowledge events)
Note: Ack flags and notes in the KV Store stays intact upon app upgrades. They are lost when the app is deleted and reinstalled.
- Added ability to filter based on acknowledged events
- HX has enhanced filtering to enable easier event ack and easier downloading of redline .mans files
- Changed appliance names on analytics dashboard
- Updated VTLookup - includes working event link and autosubmit of URL if not present
- Removed Source and Sourcetype columns from all dashboards

Version 3.0.7

Aug. 23, 2015

v3.0.7
Feature requests:
- Creation of Toolbox section that contains VT Lookup page - Remember to delete local/data/ui/nav/default.xml and restart splunk so you can see new menu!
- Added fields for Email CIM compliance - http://docs.splunk.com/Documentation/CIM/latest/User/Email
- Added Base64 conversion tool to Toolbox
- Added URL decoding tool to Toolbox
- Created default TAP analytics page
- Updated the Getting Started page

Bug fixes:
- json over HTTPS _time field was incorrect due to Splunk parsing the appliance-id field - Uncommented TIME_PREFIX and TIME_FORMAT fields. Thanks to Scott and Craig for noticing this issue.
- Removed bad field alias src as src for fe_cef_syslog and fe_csv_syslog
- fix_FireEye_JSON_in was missing from the TRANSFORMS-updateFireEyeIndex
- Fixed the daily analytics report. Apparently Splunk v6.2 does not like: row grouping="7"

Version 3.0.6

April 16, 2015

v3.0.6
Feature requests:
- PX integration - Can pivot based on time, SRC and DEST IP, SRC and DEST PORT
- Now supports HX 2.5 notification format - REGEX=.*:\sCEF\:\d\|fireeye\|hx\|
- Changed VT Lookup to use external script instead of Splunk lookup - it is faster and OS independent
- VT Lookup can now accept URLs and IPs
- Created TAP comprehensive dashboard
- Updated comprehensive dashboards
- Exposed Event ID box - useful for manual entry

Bug fixes:
- Changed analytics pages to more clearly request community feedback

Version 3.0.5

March 13, 2015

Feature requests:
- Added VirusTotal Lookups for MD5 Hashes! - Thanks to Keith Tyler, Jose Hernandez, and Ian Ahl
- Made VirusTotal view accept user input -- can accept any hash even if event did not occur
- Added Metrics under Help -> Metrics - Thanks goes to Josh Tornetta
- Added JSON over Syslog
- Added Appliance Health check visualization chart (Help -> FireEye Appliance Health)
- FireEye analyics and all visualization dashboards auto refresh every hour (refresh="3600")
- Optional indexing made easier (Uncomment #TRANSFORMS-updateFireEyeIndex in props.conf)
- Added parsing of IPS signature name - eval signature=coalesce (signature, sig_name)
- Added percentage to key vizualization charts
- Standardized chart colors for severity (Color mapping is now consistent) - <option name="charting.fieldColors">{crit:0xFF1300,majr:0xFFDA00,minr:0x3C04F2}</option>

Bug fixes:
- Removed CM dashboards - there is not a clear method of sorting the events
- Set linemerge=true for [syslog] props

Version 3.0.4

Jan. 22, 2015

Integrated TAP - Created dashboards and process to consume data
Released FireEye_v3 TA
Fixed transforms.conf to be universal notification parser ("Default send as" does not matter anymore). REGEX=.fenotify.alert\: -> REGEX=.fenotify.\:
setup.xml tested and certified for Windows Splunk instances (No longer BETA)
Corrected syslog cef host field for UTC time zone (FIELDALIAS-host_for_fireeye = dvc as host)
Fixed occurred bug for xml over syslog -> EXTRACT-occurred_for_fireeye = <occurred>(?<occurred>.{1,25})</occurred>
Documented bug that was affecting non-FE syslog packets [syslog] #TRUNCATE=0, #SHOULD_LINEMERGE = false, #LINE_BREAKER = ((?!))

Version 3.0.3

Oct. 9, 2014

Forced to change the folder to FireEye_v3 -- app upload constraints tightened by Splunk
Fixed issue with FireEye 7.2 and 7.4 XML SYSLOG parsing - More granular regex operations
Added tags.conf to enable pivot tables
Changed start screen to Analytics dashboard instead of search default='true' in nav/default.xml
Enabled auto notification for updates to the FireEye app (check_for_updates = 1 in app.conf)
Made "Enter" key work for search filter searchWhenChanged="true" in dashboards
Clear filter button - just backspace and enter now
Added hyperlink to analysis dashboards from total count in anayltics dashboard CDATA hyperlink
Added CM Visualization dashboard
Added first stab at NX Analytics dashboard
Added daily report for Analytics dashboard - Converted to dashboard, created savedsearches.conf, added setup.conf
disabled auto run of setup until we work out bugs for Windows Splunk instances - is_configured = true

Version 3.0.1

Aug. 20, 2014

Changed app.conf file to make is_configred = true. This should prevent the setup screen from kicking off until we work out the bug.

Version 3.0.0

Aug. 19, 2014

Latest version of the Splunk App for FireEye -- version 3.0.0

13,502

Downloads

Share Subscribe

Version

Built by

FireEye Splunk

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate