Splunk App for Fire Eye

1. Use Splunk and FireEye to better detect, prevent and
investigate advanced security threats
Splunk® App for FireEye
F A C T S H E E T
The Splunk App for FireEye
The Splunk App for FireEye is a free App available on Splunkbase
that installs on Splunk Enterprise. It ingests data from FireEye
and offers out-of-the-box dashboards, reports and fast access
to FireEye alerts. The Splunk App for FireEye allows FireEye
customers to easily visualize key threats as alerted on by FireEye
across multiple parameters (FireEye product, destination IP,
malware name, etc.), investigate FireEye alerts, and see threat
trends. It also contains search capabilities which allow users to
enter values such as IP, alert name, malware URL, md5sum or
other data, to quickly see relevant FireEye alerts. Every FireEye
alert can be drilled into to get to the raw, underlying detail within
one or two clicks for fast incident investigation. Also, for each
alert, the Splunk App for FireEye provides one-click access to
the related packet capture files stored in FireEye so they can be
analyzed and correlated in Splunk Enterprise. Lastly, customers
can also customize the Splunk App for FireEye by creating
their own dashboards, visualizations, forms, and alerts to
accommodate their specific needs.
The Splunk App for FireEye indexes raw FireEye XML output, versus
CEF or syslog format, for rich FireEye alert detail. This XML data
can contain hundreds of lines per alert and may have thousands of
fields compared to the less than 50 fields present in FireEye syslog
or CEF formatted data. With all this detail, incident investigations
and forensics analysis in Splunk software will not be hampered by
missing FireEye data. The rich data set provided by FireEye allows
for deep detailed analysis of threats and malware, including how
the threats work, what processes were involved and more.
FireEye® and Splunk
The FireEye Malware Protection System (MPS) is the only complete
solution to stop advanced targeted attacks across Web and email
threat vectors, and from malware resident on file shares. FireEye’s
solutions supplement traditional security defenses, such as firewalls,
IPS, AV and gateways, which can’t stop advanced malware and
thus leave significant security holes in most corporate networks.
The FireEye security platform offers integrated, multi-vector
protection utilizing stateful attack analysis to stop all stages of an
advanced attack. FireEye’s products all feature a Virtual Execution
engine that provides state-of-the-art, signature-less analysis using
patented, proprietary virtual machines. The FireEye MPS builds
a 360-degree, stage-by-stage analysis of an advanced attack,
from system exploitation to data exfiltration, to effectively stop
would-be advanced persistent threat attackers.
Splunk Enterprise is a security intelligence platform that collects,
indexes and harnesses machine-generated data coming from
websites, applications, servers, networks and security products,
such as FireEye. Splunk Enterprise is often used as a big data
platform for security use cases, including incident investigations
and forensics, security reporting and visualization and security
information and event management (SIEM) threat correlation. For
SIEM use cases, Splunk software connects the dots across siloed,
separate products to detect and alert on advanced threats that
otherwise would evade detection. The Splunk Enterprise platform
extracts additional value from point solutions by allowing the
end user to create data visualizations that reflect long term
trending of threats, see them in the context of other IT data and
link solutions together to automate security processes.
• Real-time dashboards, panels, and search fields
to easily view and investigate FireEye alerts
• Correlate FireEye data with other data sources
in Splunk Enterprise™ to detect and remediate
additional advanced threats
• Uses FireEye XML output, not CEF or syslog
output, for rich detail—up to hundreds of lines
per FireEye alert
H I G H L I G H T S
Malware overview dashboard

2. www.splunk.comlisten to your data
250 Brannan St, San Francisco, CA, 94107 info@splunk.com | sales@splunk.com 866-438-7758 | 415-848-8400 www.splunkbase.com
F A C T S H E E T
Copyright © 2012 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws.
Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentioned
herein may be trademarks of their respective companies. Item # FS-splunk-FireEye-104
FireEye overview dashboard:
• Geo-IP mapping of alerts
• Attack vector of alerts
Malware overview dashboard:
• Malware detail including alert ID, FireEye appliance, source
IP, destination IP and malware name
• Malware by business unit
• Malware names
• Malware sub-type names
• Most callbacks by destination IP
• Search boxes for victim IP, device name, malware name,
alert ID, callback and malware type
Analysis dashboard:
• Alert detail including alert ID, analysis, malware, URL,
message, process and alert name
• Infections by alert name
• Content type
• md5sums
• Alerts
• Search boxes for alert name, device name, malware name,
alert ID, md5sum and malware URL
Once this rich XML FireEye data is in Splunk Enterprise it can be
correlated with other data in Splunk from sources such as DNS,
DHCP, AD, web servers, email servers, firewalls and Windows
event logs. This allows you to detect the presence of advanced
threats that may hide behind credentials and use other stealthy
methods to evade detection from traditional stand-alone security
products. Other SIEMs commonly use fixed-schema, SQL database
structures and are unable to retain or correlate on this highly
variable and unstructured XML data from FireEye.
Additionally, Splunk Enterprise can be used to take real-time,
automated action on FireEye alerts and to easily integrate different
products for better security. For example, a large financial institution
sends FireEye alerts to Splunk software in real-time, while in Splunk
Enterprise a real-time search is looking for FireEye web alerts
involving inbound threats. When the Splunk search sees these
FireEye alerts, a Splunk alert is generated that automatically
executes a simple, custom script which adds the IP address of
the inbound threat to a blacklist in the company’s web proxy.
Thus the attacker will be blocked from future attempts originating
from that IP address. With Splunk Enterprise, product integrations
such as this can be done with minimal effort and enable real-time,
automatic remediation or threat blocking.
The Splunk App for FireEye is compliant with the Splunk Common
Information Model (CIM) making it easier to correlate FireEye data
with data already in Splunk. Other Splunk Apps that use the CIM
include the Splunk App for Enterprise Security, Splunk App for
PCI Compliance and the Splunk App for FISMA.
Splunk App for FireEye—Dashboards, Reports
and Search Boxes
The Splunk App for FireEye generates FireEye-specific dashboards
and reports in real-time, enabling immediate visibility on key
FireEye metrics. The Splunk App for FireEye also supports core
Splunk functionality such as the ability to schedule and email
reports to others, role-based access control to limit who can
view and/or act on specific data in Splunk or an App, and drill-
down actions that enable you to delve deeper into the details
behind graphical elements and charts.
The following dashboards, reports and search boxes are available
in the Splunk App for FireEye:
F A C T S H E E T
Free Download
Download Splunk for free. You’ll get a Splunk Enterprise
license for 60 days and you can index up to 500 megabytes
of data per day. After 60 days, or anytime before then, you
can convert to a perpetual Free license or purchase an
Enterprise license by contacting sales@splunk.com.
Try out the App, it’s Free!
Go to http://splunk-base.splunk.com/apps/ and search
for “fireeye” to download the App