[2024]Digital Global Overview Report 2024 Meltwater.pdf
Splunk for fire_eye
1. Use Splunk and FireEye to better detect, prevent and
investigate advanced security threats
Splunk® App for FireEye
F A C T S H E E T
The Splunk App for FireEye
The Splunk App for FireEye is a free App available on Splunkbase
that installs on Splunk Enterprise. It ingests data from FireEye
and offers out-of-the-box dashboards, reports and fast access
to FireEye alerts. The Splunk App for FireEye allows FireEye
customers to easily visualize key threats as alerted on by FireEye
across multiple parameters (FireEye product, destination IP,
malware name, etc.), investigate FireEye alerts, and see threat
trends. It also contains search capabilities which allow users to
enter values such as IP, alert name, malware URL, md5sum or
other data, to quickly see relevant FireEye alerts. Every FireEye
alert can be drilled into to get to the raw, underlying detail within
one or two clicks for fast incident investigation. Also, for each
alert, the Splunk App for FireEye provides one-click access to
the related packet capture files stored in FireEye so they can be
analyzed and correlated in Splunk Enterprise. Lastly, customers
can also customize the Splunk App for FireEye by creating
their own dashboards, visualizations, forms, and alerts to
accommodate their specific needs.
The Splunk App for FireEye indexes raw FireEye XML output, versus
CEF or syslog format, for rich FireEye alert detail. This XML data
can contain hundreds of lines per alert and may have thousands of
fields compared to the less than 50 fields present in FireEye syslog
or CEF formatted data. With all this detail, incident investigations
and forensics analysis in Splunk software will not be hampered by
missing FireEye data. The rich data set provided by FireEye allows
for deep detailed analysis of threats and malware, including how
the threats work, what processes were involved and more.
FireEye® and Splunk
The FireEye Malware Protection System (MPS) is the only complete
solution to stop advanced targeted attacks across Web and email
threat vectors, and from malware resident on file shares. FireEye’s
solutions supplement traditional security defenses, such as firewalls,
IPS, AV and gateways, which can’t stop advanced malware and
thus leave significant security holes in most corporate networks.
The FireEye security platform offers integrated, multi-vector
protection utilizing stateful attack analysis to stop all stages of an
advanced attack. FireEye’s products all feature a Virtual Execution
engine that provides state-of-the-art, signature-less analysis using
patented, proprietary virtual machines. The FireEye MPS builds
a 360-degree, stage-by-stage analysis of an advanced attack,
from system exploitation to data exfiltration, to effectively stop
would-be advanced persistent threat attackers.
Splunk Enterprise is a security intelligence platform that collects,
indexes and harnesses machine-generated data coming from
websites, applications, servers, networks and security products,
such as FireEye. Splunk Enterprise is often used as a big data
platform for security use cases, including incident investigations
and forensics, security reporting and visualization and security
information and event management (SIEM) threat correlation. For
SIEM use cases, Splunk software connects the dots across siloed,
separate products to detect and alert on advanced threats that
otherwise would evade detection. The Splunk Enterprise platform
extracts additional value from point solutions by allowing the
end user to create data visualizations that reflect long term
trending of threats, see them in the context of other IT data and
link solutions together to automate security processes.
• Real-time dashboards, panels, and search fields
to easily view and investigate FireEye alerts
• Correlate FireEye data with other data sources
in Splunk Enterprise™ to detect and remediate
additional advanced threats
• Uses FireEye XML output, not CEF or syslog
output, for rich detail—up to hundreds of lines
per FireEye alert
H I G H L I G H T S
Malware overview dashboard