Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splunk for fire_eye


Published on

Splunk App for Fire Eye

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Splunk for fire_eye

  1. 1. Use Splunk and FireEye to better detect, prevent and investigate advanced security threats Splunk® App for FireEye F A C T S H E E T The Splunk App for FireEye The Splunk App for FireEye is a free App available on Splunkbase that installs on Splunk Enterprise. It ingests data from FireEye and offers out-of-the-box dashboards, reports and fast access to FireEye alerts. The Splunk App for FireEye allows FireEye customers to easily visualize key threats as alerted on by FireEye across multiple parameters (FireEye product, destination IP, malware name, etc.), investigate FireEye alerts, and see threat trends. It also contains search capabilities which allow users to enter values such as IP, alert name, malware URL, md5sum or other data, to quickly see relevant FireEye alerts. Every FireEye alert can be drilled into to get to the raw, underlying detail within one or two clicks for fast incident investigation. Also, for each alert, the Splunk App for FireEye provides one-click access to the related packet capture files stored in FireEye so they can be analyzed and correlated in Splunk Enterprise. Lastly, customers can also customize the Splunk App for FireEye by creating their own dashboards, visualizations, forms, and alerts to accommodate their specific needs. The Splunk App for FireEye indexes raw FireEye XML output, versus CEF or syslog format, for rich FireEye alert detail. This XML data can contain hundreds of lines per alert and may have thousands of fields compared to the less than 50 fields present in FireEye syslog or CEF formatted data. With all this detail, incident investigations and forensics analysis in Splunk software will not be hampered by missing FireEye data. The rich data set provided by FireEye allows for deep detailed analysis of threats and malware, including how the threats work, what processes were involved and more. FireEye® and Splunk The FireEye Malware Protection System (MPS) is the only complete solution to stop advanced targeted attacks across Web and email threat vectors, and from malware resident on file shares. FireEye’s solutions supplement traditional security defenses, such as firewalls, IPS, AV and gateways, which can’t stop advanced malware and thus leave significant security holes in most corporate networks. The FireEye security platform offers integrated, multi-vector protection utilizing stateful attack analysis to stop all stages of an advanced attack. FireEye’s products all feature a Virtual Execution engine that provides state-of-the-art, signature-less analysis using patented, proprietary virtual machines. The FireEye MPS builds a 360-degree, stage-by-stage analysis of an advanced attack, from system exploitation to data exfiltration, to effectively stop would-be advanced persistent threat attackers. Splunk Enterprise is a security intelligence platform that collects, indexes and harnesses machine-generated data coming from websites, applications, servers, networks and security products, such as FireEye. Splunk Enterprise is often used as a big data platform for security use cases, including incident investigations and forensics, security reporting and visualization and security information and event management (SIEM) threat correlation. For SIEM use cases, Splunk software connects the dots across siloed, separate products to detect and alert on advanced threats that otherwise would evade detection. The Splunk Enterprise platform extracts additional value from point solutions by allowing the end user to create data visualizations that reflect long term trending of threats, see them in the context of other IT data and link solutions together to automate security processes. • Real-time dashboards, panels, and search fields to easily view and investigate FireEye alerts • Correlate FireEye data with other data sources in Splunk Enterprise™ to detect and remediate additional advanced threats • Uses FireEye XML output, not CEF or syslog output, for rich detail—up to hundreds of lines per FireEye alert H I G H L I G H T S Malware overview dashboard
  2. 2. www.splunk.comlisten to your data 250 Brannan St, San Francisco, CA, 94107 | 866-438-7758 | 415-848-8400 F A C T S H E E T Copyright © 2012 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws. Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item # FS-splunk-FireEye-104 FireEye overview dashboard: • Geo-IP mapping of alerts • Attack vector of alerts Malware overview dashboard: • Malware detail including alert ID, FireEye appliance, source IP, destination IP and malware name • Malware by business unit • Malware names • Malware sub-type names • Most callbacks by destination IP • Search boxes for victim IP, device name, malware name, alert ID, callback and malware type Analysis dashboard: • Alert detail including alert ID, analysis, malware, URL, message, process and alert name • Infections by alert name • Content type • md5sums • Alerts • Search boxes for alert name, device name, malware name, alert ID, md5sum and malware URL Once this rich XML FireEye data is in Splunk Enterprise it can be correlated with other data in Splunk from sources such as DNS, DHCP, AD, web servers, email servers, firewalls and Windows event logs. This allows you to detect the presence of advanced threats that may hide behind credentials and use other stealthy methods to evade detection from traditional stand-alone security products. Other SIEMs commonly use fixed-schema, SQL database structures and are unable to retain or correlate on this highly variable and unstructured XML data from FireEye. Additionally, Splunk Enterprise can be used to take real-time, automated action on FireEye alerts and to easily integrate different products for better security. For example, a large financial institution sends FireEye alerts to Splunk software in real-time, while in Splunk Enterprise a real-time search is looking for FireEye web alerts involving inbound threats. When the Splunk search sees these FireEye alerts, a Splunk alert is generated that automatically executes a simple, custom script which adds the IP address of the inbound threat to a blacklist in the company’s web proxy. Thus the attacker will be blocked from future attempts originating from that IP address. With Splunk Enterprise, product integrations such as this can be done with minimal effort and enable real-time, automatic remediation or threat blocking. The Splunk App for FireEye is compliant with the Splunk Common Information Model (CIM) making it easier to correlate FireEye data with data already in Splunk. Other Splunk Apps that use the CIM include the Splunk App for Enterprise Security, Splunk App for PCI Compliance and the Splunk App for FISMA. Splunk App for FireEye—Dashboards, Reports and Search Boxes The Splunk App for FireEye generates FireEye-specific dashboards and reports in real-time, enabling immediate visibility on key FireEye metrics. The Splunk App for FireEye also supports core Splunk functionality such as the ability to schedule and email reports to others, role-based access control to limit who can view and/or act on specific data in Splunk or an App, and drill- down actions that enable you to delve deeper into the details behind graphical elements and charts. The following dashboards, reports and search boxes are available in the Splunk App for FireEye: F A C T S H E E T Free Download Download Splunk for free. You’ll get a Splunk Enterprise license for 60 days and you can index up to 500 megabytes of data per day. After 60 days, or anytime before then, you can convert to a perpetual Free license or purchase an Enterprise license by contacting Try out the App, it’s Free! Go to and search for “fireeye” to download the App