+ All Categories
Home > Documents > FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

Date post: 08-Dec-2015
Category:
Upload: armvherisec
View: 93 times
Download: 10 times
Share this document with a friend
Description:
Are you a Splunk ninja and now have a FireEye appliance? If so, our previous introductory guide(http:// www.fireeye.com/resources/pdfs/FireEye-Splunk-intro-to-integration-guide.pdf) andthis intermediate guide should help you understand custom FireEye and Splunk integrationoptions in no time. The previous introductory paper walks users through integrating the devicesvia syslog and some simple Splunk data carving. This paper extends that knowledge by showingusers how to consume more in-depth FireEye (XML and JSON) data via HTTP POST and howto use some of Splunk’s advanced features to build a more robust dashboard. Those readerswho want to quickly arrive at one possible integration solution should take note of the CurrentIntegration Efforts section below or the Universal Parser section and then use the sample codewithin Appendix A.
Popular Tags:
64
FireEye + Splunk: Intermediate Guide
Transcript
Page 1: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

FireEye + Splunk:Intermediate Guide

Page 2: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

1 www.fireeye.com

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Current Integration Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Creating Advanced Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Splunk Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Splunk Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Splunk User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

FireEye Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Examining a Raw Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Single Line JSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Multiline JSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Universal Parser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

According to Splunk: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Parsing Other Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Experimenting with XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Single Line XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Multiline XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Universal Parser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Summary of Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Moving a Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Customizing an App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Page 3: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

2 www.fireeye.com

App Navigation Colors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

App Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Dashboard Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Sample FireEye Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

NX (web MPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Alerts -> Alerts: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Alerts -> Callback Activity: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Time Frames: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Panels to Enhance Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

NX (web MPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Severity Pie Chart: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Malware Pie Chart: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Top 20 Most Active Target IPs: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Top 20 Most Active Destination Ports: . . . . . . . . . . . . . . . . . . . . . . . . 37

Most Active Sensors: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Adding Forms (Filters) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Adding Tokens to Search Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Adding User Input Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

GeoIP Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

iplocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

geostats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Adding Drilldowns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Page 4: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

3 www.fireeye.com

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Supporting File Location: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

How to Import Support Files: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Drilldown by Event ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Supporting files on the server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

inpage_drilldown_form.css . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

inpage_drilldown_form.js . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Using Curl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Splunk Search: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Special Thanks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

About FireEye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Page 5: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

4 www.fireeye.com

IntroductionAre you a Splunk ninja and now have a FireEye appliance? If so, our previous introductory guide (http:// www.fireeye.com/resources/pdfs/FireEye-Splunk-intro-to-integration-guide.pdf) and this intermediate guide should help you understand custom FireEye and Splunk integration options in no time. The previous introductory paper walks users through integrating the devices via syslog and some simple Splunk data carving. This paper extends that knowledge by showing users how to consume more in-depth FireEye (XML and JSON) data via HTTP POST and how to use some of Splunk’s advanced features to build a more robust dashboard. Those readers who want to quickly arrive at one possible integration solution should take note of the Current Integration Efforts section below or the Universal Parser section and then use the sample code within Appendix A.

Current Integration EffortsIf your organization is using the latest version of Splunk (6.x), try out our free FireEye App for Splunk Enterprise v3 (http://apps.splunk.com/app/1845/). This new app provides increased flexibility by supporting multiple FireEye appliances as well as multiple protocols and formats for sending data to Splunk. This app may not be fully backward compatible because it takes advantage of many Splunk 6.x features that were not previously available.

If your organization is still using Splunk version 4.x or 5.x, you can easily download and use the free—but unsupported—Splunk for FireEye v2 app to integrate the two technologies. This Splunk app utilizes and parses FireEye’s rich extended XML output. This downloadable app is available here: https://apps.splunk.com/app/409/.

The rest of this article is written for those that want to start from scratch or start from one of the above apps and learn to customize them. This article will outline various protocols and formats available from FireEye and explore the parsing options provided by Splunk.

Creating Advanced ConnectorsIn our previous introductory guide to integrating FireEye and Splunk, we covered creating connectors between the appliances using CEF or CSV format sent via syslog. When attempting to pass a more robust format such as extended XML or JSON via syslog, we discovered that the message was being prematurely truncated. To see the solution, download our new FireEye for Splunk Enterprise v3 app and check out the props.conf file. In this paper we will show how to use Splunk’s RESTful API to pass event data in XML or JSON format using an encrypted HTTPS POST. The steps below should assist in the setup.

Page 6: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

5 www.fireeye.com

Splunk ListenerA default installation of Splunk 6 or later should automatically be listening via the RESTful API on port 8089. However, this can be verified by navigating to this API using a standard web browser: https://<SplunkBox>:8089

If for whatever reason, this service is not available, verify the port number using the following steps:

• Using a web browser, log in to the Splunk web interface: http://<SplunkBox>:8000• Username: <admin account>• Password: <password>

Figure 1: Splunk RESTful API is available on the default port 8089

Page 7: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

6 www.fireeye.com

Set up the Splunk listener:

• Click the "Settings" hyperlink in the top right-hand corner of Splunk• Under "System", click “System settings"• Click “General settings”• Note the value in the “Management port” field

Splunk RoleWe now want to create a user in Splunk that will be used for passing the RESTful API data. However, there is currently no predefined Splunk role that can perform the job while adhering to the principle of least privilege. We could just assign our new user the “admin” role, but this would create a more severe situation should this account ever become compromised.

The following instructions will create a Splunk role that has only the ability to accept data via the RESTful API:

• Log into the Splunk web UI with an admin account• Click “Settings -> Users and authentication -> Access controls”• Click “Roles” -> Click the "New" button• Role Name: RESTfulAPI• Capabilities: edit_tcp

Figure 2 : The port that Splunk uses for its RESTful API

Page 8: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

7 www.fireeye.com

Splunk UserNow that we have created a secure role, we need to create an account that will be used for authentication to post our event data.

Note: Make sure the account name is alphanumeric only (no whitespaces) Example username: fireeye

• Again, log into the Splunk web UI with an admin account• Click “Settings -> Users and authentication -> Access controls”• Click “Users” -> Click the "New" button• Fill in the required data• Privilege Note: Remember to use our newly created “restfulapi” role• Click the "Save" button

Figure 3: Creating the Splunk admin account that will accept our HTTP POST messages.

Page 9: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

8 www.fireeye.com

FireEye DataNow that Splunk is listening and ready for data, we have to configure FireEye to send HTTP POST data to the connector. As mentioned in our introductory paper, the FireEye appliances are very flexible regarding notification output and support the following formats using HTTP POST:

Text – Normal JSON – Normal XML – Normal

Text – Concise JSON – Concise XML – Concise

Text – Extended JSON – Extended XML – Extended

In contrast, when sending data using syslog, all of the above formats are supported with the addition of CEF, LEEF, and CSV. Don’t worry though, these three additional formats should not be needed because other formats provide more robust data.

For our first example, we will use Extended JSON—but this does not necessarily mean that it is the best format. It is just one possible option (see the “Parsing Other Formats” section for more details as to why we are selecting JSON over XML). Complete the following steps to send data to Splunk using extended JSON via HTTP POST:

• Log into the FireEye appliance with an administrator account• Click “Settings”• Click “Notifications”• Click the “http” hyperlink• Make sure the "Event type" check box is selected• If the Global HTTP Settings are already set—leave them

Next to the "Add HTTP Server" button, type "SplunkHTTP". Then click the "Add HTTP Server" button. In the newly created “SplunkHTTP” entry, ensure that the following check boxes are selected:

• Enabled• Auth• SSL Enable

Page 10: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

9 www.fireeye.com

Enter the following per instance settings (which will override the global setting above): Server

URL: https://<SplunkAD.DR.ESS>:<PORT>/services/receivers/simple?

host=<FireEyeAddress>&source=wmps&sourcetype=fe_json

Note: The default port used above is 8089—unless it has been changed.

Remember to click the “Update” button when finished.

• Username: fireeye (or username created in Splunk)• Password: <password created above in Splunk>

Figure 4: Steps to configure the FireEye appliance to send data to Splunk

Page 11: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

10 www.fireeye.com

Now test the sending and receiving of notifications on the same FireEye Notifications page by clicking the "Test-Fire" button at the bottom. Flip back over to the Splunk interface and check out the raw event data.

FireEye events will show up under “Search -> Data Summary” button or by typing sourcetype=fe_json in the Search box.

If raw data is not present, skip down to the “Troubleshooting” section at the bottom of this guide.

Figure 5: The Splunk dashboard now shows events

Page 12: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

11 www.fireeye.com

Examining a Raw Event

Now that the connectors are working, we can view the raw data.

Pro-tip: FireEye JSON and XML notifications changed in version 7.1 of the appliance from single line to multiline events. This affects Splunk’s native ability to parse the events; thus, we will need to create a custom sourcetype for Splunk to handle the change.

Single Line JSONIf using a FireEye appliance prior to software version 7.1 (which uses single line JSON as shown below), notice that Splunk will natively know when to split the packets. After clicking on the Data Summary button or searching for “FireEye”, the raw JSON alert notification should be present. The events will look similar to the following:

{"msg": "extended", "product": "Web MPS", "version": "7.0.0.138133","appliance": "WebMPS.localdomain", "alert": {"src": {"mac":"XX:XX:XX:XX:XX:XX", "ip": "169.250.0.1", "host": "NA-testing.fe-notify-examples.com", "vlan": "0", "port": "10"}, "severity": "majr", "alert- url": "https://WebMPS.localdomain/event_stream/events_for_bot?inc_id=1", "explanation": {"target-os": "WindowsXYZ", "protocol": "tcp", "service": "FireEye-TestEvent EA Service", "analysis": "replay", "cnc-services": {"cnc- service": [{"protocol": "tcp", "port": "200", "channel": "FireEye-TestEvent Channel 1", "address": "FireEye-TestEvent.example.com"}, {"protocol": "tcp", "port": "201", "channel": "cncs 2 channel fields", "address": "127.0.0.100"}]}, "target-application": "IEx123", "urls": "2", "malware- detected": {"malware": [{"content": "lms-0/contents", "url": "compl_0_1- someurl.x1y2z3.com", "type": "link", "name": "Suspicious.URL"}, {"content": "lms-0/contents", "url": "os-change-anomaly_0_1-someurl.x1y2z3.com", "type":"link", "name": "Suspicious.URL"}, {"objurl": "compl_0_1-someurl.x1y2z3.com", "name": "FireEye-TestEvent-SIG"}]}}, "occurred": "2014-04-13T21:02:48Z","id": "1", "action": "notified", "dst": {"ip": "127.0.0.20", "mac":"XX:XX:XX:XX:XX:XX", "port": "20"}, "name": "web-infection"}}

Page 13: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

12 www.fireeye.com

At first, this data looks a bit confusing. Fortunately, the Splunk dashboard highlights and separates the data to make it a little easier to view and understand. By clicking the dropdown arrow, we see how Splunk natively parses JSON into fields that we can use to build our dashboard.

Figure 6: Search term highlighting and Splunk parsed fields

Page 14: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

13 www.fireeye.com

Multiline JSONWith the release of FireEye OS version 7.1, JSON and XML notifications are now multiline (aka pretty print)—meaning each line ends in a hard return and follow-on lines are indented as shown in the example below:

{ "msg": "extended", "product": "Web MPS", "version": "7.1.0.180577", "appliance": "WebMPS.localdomain", "alert": { "src": { "mac": "00:11:33:55:77:99", "ip": "169.250.0.1", "host": "DM-testing.fe-notify-examples.com", "vlan": "0", "port": "10" },--SNIP--occurred

When comparing this with the JSON from the single line section above, it is evident that this enhances the human readability. Unfortunately, it causes a problem with the native parser in Splunk. The hard returns cause Splunk to split the packet at the occurred field shown in the screenshot below.

This will surely break our dashboards if we don’t account for the change in format.

Figure 7: Multiline JSON is prematurely split in Splunk

Page 15: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

14 www.fireeye.com

Universal ParserTo solve this, we can define our own sourcetype and specify where Splunk will break on events. But before we do this, let’s make sure we understand how line breaking works so we can optimize the parsing in Splunk:

According to Splunk:“Splunk Enterprise determines event boundaries in two steps:

1. Line breaking, which uses the LINE_BREAKER attribute's regular expression value to split the incoming stream of bytes into separate lines. By default, the LINE_BREAKER is any sequence of newlines and carriage returns (that is, ([\r\n]+)).

2. Line merging, which only occurs when the SHOULD_LINEMERGE attribute is set to "true" (the default). This step uses all the other line merging settings (for example, BREAK_ONLY_BEFORE, BREAK_ONLY_ BEFORE_DATE, MUST_BREAK_AFTER, etc.) to merge the previously-separated lines into events.

If the second step does not run (because you set the SHOULD_LINEMERGE attribute to "false"), then the events are simply the individual lines determined by LINE_BREAKER. The first step is relatively efficient, while the second is relatively slow. If you are clever with the LINE_BREAKER regex, you can often make Splunk get the desired result by using only the first step, and skipping the second step. This is particularly valuable if a significant amount of your data consists of multi-line events.”

Source: http://docs.splunk.com/Documentation/Splunk/6.0.3/Data/Indexmulti-lineevents

Bottom line: In order to be fast and efficient, we want to be clever with our LINE_BREAKER regex so we can avoid relying on “SHOULD_LINEMERGE” capabilities.

Page 16: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

15 www.fireeye.com

Fortunately, we have created a regular expression that will act as a universal FireEye JSON parser. Perform the following steps to apply our universal parser:

Step 1) Create the following file if it does not exist:

$SPLUNK_HOME/etc/system/local/props.conf

Step 2) Add the following contents:

# Universal Handler for FireEye JSON notifications (pre and post FireEye OS 7.1)

[fe_json] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(^\{.*\}$) The regex above states that one or more carriage returns and line feeds can exist followed by an event that starts with ‘{‘ and ends with ‘}’ with anything in between.

Step 3) Restart splunkd:

$SPLUNK_HOME/bin/splunk restart splunkd

After splunkd is restarted, all FireEye events sent to Splunk with a sourcetype of fe_json will be properly parsed as shown below:

Figure 8: After applying a custom sourcetype, both the pre and post 7.1 FireEye JSON notifications parse correctly

Page 17: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

16 www.fireeye.com

Now that we have whole events, regardless of the FireEye OS version, let’s look at carving the data. In order to replicate the FireEye dashboard using JSON, we need certain fields to map properly.

The JSON fields map as follows:

FireEye Field Splunk FieldType alert.nameID alert .idFile Type alert.explanation.malware-detected.malware.type Malware alert.explanation.malware-detected.malware.nameSeverity alert.severityTime (UTC) alert .occurredSource IP alert .src .ipTarget IP alert .dst .ipMD5 alert.explanation.malware-detected.malware.md5sumURL (malware callback, domain match, malware object) alert.explanation.cnc-services.cnc-service{}.address

URL (web infection) alert.explanation.cnc-services.cnc-service.addressLocation Not Passed

The fields above will provide what is necessary to replicate the FireEye dashboard. However, in our introductory article we extended our FireEye dashboard to include some other useful fields.

The other useful JSON fields map as follows:

FireEye Field Splunk FieldAction taken alert.action (may indicate blocked)Protocol alert.explanation.protocolSource port alert .src .portDestination port alert .dst .portFireEye alert URL alert.alert-url (useful for linking to FE event)

Page 18: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

17 www.fireeye.com

Now that we know all of these fields and what they map to in Splunk, we can once again replicate the FireEye dashboards using JSON (via HTTP POST) instead of using syslog as we did in our introductory guide. The final dashboard using JSON will be provided at the end of the article in the Appendix section. For a quick Splunk tutorial on carving incoming data, see our introductory FireEye/Splunk paper for the following topics which will not be repeated in this guide:

• How to Replicate a FireEye Dashboard - Simple Searches - Piping Search Results - Using Regular Expressions - Using Conditionals

• If Statement• Case Statement

- Sorting Searches - Renaming the Columns - Save As Dashboard Panel

• Time Frames

Page 19: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

18 www.fireeye.com

Parsing Other Formats

We mentioned earlier that FireEye is flexible in its notification output formats because it supports sending the following formats via HTTP POST:

Text – Normal JSON – Normal XML – Normal

Text – Concise JSON – Concise XML – Concise

Text – Extended JSON – Extended XML – Extended

After experimenting with the formats, it appears that extended XML may also be a robust alternative format to send to Splunk (via HTTP POST) due to its verbosity and structure. We will briefly explore this option in this paper, but we recommend sticking with the extended JSON solution we have outlined. As we will learn further down, there are still some challenges to overcome with XML. These points will not be covered in this paper; however, one possible solution is present in the latest FireEye App for Splunk Enterprise.

Experimenting with XMLIf you too want to experiment with XML, we have to first change the FireEye notification format to XML. This is a pretty easy change in the FireEye device. This is done by going to “Settings”, “Notifications”, and then clicking “HTTP”. FireEye provides the ability to change the default format for all of the HTTP servers or the default can be overridden with a per server entry. Here, we will configure a per server entry that will apply for this Splunk server only. We also recommend changing the sourcetype to read fe_xml instead fe_json

New server URL: https://<SplunkAD.DR.ESS>:<PORT>/services/receivers/ simple?host=<FireEyeAddress>&s ource=wmps&sourcetype=fe_xml

Page 20: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

19 www.fireeye.com

Remember to click the “Update” button when finished. Finally, fire off a test event so there is XML data to look at in Splunk.

We can inspect an XML field with the following Splunk search: “sourcetype=fe_xml”

XML has the same issue that JSON experienced. FireEye OS 7.1 and later uses “pretty print” to display the event notification over multiple lines. Compare the difference in the examples below.

Figure 9: Changing the FireEye appliance to use XML for Splunk event notification

Page 21: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

20 www.fireeye.com

Single Line XML

A typical single line XML (pre FE OS 7.1) event appears similar to the following:

<?xml version="1.0" encoding="utf-8"?><alerts appliance="fireeye- wmps.local" msg="extended" product="Web MPS" version="7.0.2.156588" xmlns="http://www.fireeye.com/alert/2011/AlertSchema" xmlns:xsi="http:// www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www. fireeye.com/alert/2011/AlertSchema FireEyeAlert.xsd"><alert id="691256" name="malware-object" severity="majr"><explanation analysis="binary" protocol="tcp"><malware-detected><malware name="FireEye-TestEvent- SIG"><downloaded-at>2014-04-01T11:50:59Z</downloaded-at><md5sum>d41d8cd9 8f00b204e9800998ecf8427e</md5sum><profile>winxp-sp2-rp</profile><executed- at>2014-04-01T11:50:59Z</executed-at><application>explorer</ application></malware></malware-detected><cnc-services><cnc-service port="200" protocol="tcp"><address>FireEye-TestEvent.example. com</address><channel>FireEye-TestEvent Channel 1</channel></cnc- service><cnc-service port="201" protocol="tcp"><address>127.0.0.100</ address><channel>cncs 2 channel fields</channel></cnc-service></cnc- services><service>FireEye-TestEvent EA Service</service></explanation><src vlan="0"><ip>169.250.0.1</ip><host>NA-testing.fe-notify-examples.com</host><port>10</port><mac>XX:XX:XX:XX:XX:XX</mac></src><dst><ip>127.0.0.20</ ip><mac>XX:XX:XX:XX:XX:XX</mac><port>20</port></dst><occurred>2014-04- 01T11:50:57Z</occurred><alert-url>https://fireeye-wmps.local/event_stream/ events_for_bot?ma_id=691256</alert-url><action>notified</action></alert></ alerts>

Page 22: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

21 www.fireeye.com

Multiline XMLA typical multiline XML (FE OS 7.1 and later) event looks like the following:

<?xml version="1.0" encoding="utf-8"?><alerts appliance="WebMPS.localdomain" msg="extended" product="Web MPS" version="7.1.0.180577" xmlns="http://www.fireeye.com/alert/2013/AlertSchema"xmlns:xsi="http://www. w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.fireeye.com/ alert/2013/AlertSchema FireEyeAlert.xsd"> <alert id="26" name="infection-match" severity="minr"> <explanation analysis="content" protocol="tcp"> <malware-detected> <malware name="FireEye-TestEvent-SIG-IM" sid="30" stype="bot-command"/> </malware-detected> </explanation> <src vlan="0"> <ip>169.250.0.1</ip> <host>IM-testing.fe-notify-examples.com</host> <port>10</port>--SNIP--

Page 23: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

22 www.fireeye.com

Universal ParserTo remedy this issue, we have once again created a regular expression that will act as a universal FireEye parser—but this time for XML events. Perform the following steps:

Step 1) Create the following file if it does not exist:

$SPLUNK_HOME/etc/system/local/props.conf

Step 2) Add the following contents (below the fe_json if desired):

# Universal Handler for FireEye JSON notifications (pre and post FireEye OS 7.1)

[fe_json] SHOULD_LINEMERGE = falseLINE_BREAKER = ([\r\n]+)(^\{.*\}$)

# Universal Handler for FireEye XML notifications (pre and post FireEye OS 7.1)[fe_xml]SHOULD_LINEMERGE = falseLINE_BREAKER = ([\r\n]+)(^\<\?xml.*\<\/alerts\>$)

Step 3) Restart splunkd:

$SPLUNK_HOME/bin/splunk restart splunkd

Send another test event and observe that we have whole events—regardless of the FireEye OS version.

After clicking on the arrow to expand the event, notice that Splunk attempts to extract data into fields, but is not able to extract all of the fields. There are a couple of options at this point, but in this paper we will try to pipe our search through the xmlkv command.

Page 24: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

23 www.fireeye.com

According to Splunk, the xmlkv command “extracts xml key-value pairs”. The description is as follows:

“Finds key value pairs of the form <foo>bar</foo> where foo is the key and bar is the value from the _raw key.”

Using the included xmlkv command, let’s see what fields Splunk is able to parse:

The XML fields map as follows:

FireEye Field Splunk FieldType nameID idFile Type typeMalware Not parsed with xmlkv (need regex)Severity severityTime (UTC) occurredSource IP Not parsed with xmlkv (need regex)Target IP ipMD5 md5sumURL (malware callback, domain match, malware object) address

URL (web infection) Not parsed with xmlkv (need regex)Location Not passed

The other useful XML fields map as follows:

FireEye Field Splunk FieldAction taken action (may indicate blocked)Protocol Not parsed with xmlkv (need regex)Source port Not parsed with xmlkv (need regex)Destination port portFireEye alert URL alert-url (useful for linking to FE event)

Page 25: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

24 www.fireeye.com

Why are some of these fields not parsed via xmlkv when they were parsed in JSON? The data is obviously present in the raw packet. We identified the issue below:

--SNIP--<src vlan="0"><ip>169.250.0.1</ip><host>NA-testing.fe-notify-examples.com</host><port>10</port><mac>XX:XX:XX:XX:XX:XX</mac></src>

<dst><ip>127.0.0.20</ip><mac>XX:XX:XX:XX:XX:XX</mac><port>20</port></dst>--SNIP—

Notice that in both sections, the IP is identified by the <ip> tag. The xmlkv command will only recognize the last instance because it appears to overwrite all prior tags with the same name. The same issue occurs with the <mac> and <port> tags.

The reason for this is due to a limitation in the xmlkv parser found here:

$SPLUNK_HOME/etc/apps/search/bin/xmlkv.py

The code snippet below overwrites previous keys with the latest value:

for kvpair in XML_KV_RE.findall(rawOut):r[kvpair[0]] = kvpair[1]

Summary of DifferencesIt appears that FireEye sends comparable data with either format (JSON or XML). However, the current add-on xml parser in Splunk does not handle repeated tags. FireEye’s XML requires some custom parsing which will be covered in a later paper, but is currently used in the most recent FireApp for Splunk Enterprise App.

Bottom line: Pick the format that makes the most sense for your organization.

Page 26: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

25 www.fireeye.com

Creating AppsNow that you have the data to start creating your dashboard, you may want to first separate it into its own Splunk App. This can be achieved manually or by using the Splunk App Builder. The easiest way to create an app is to follow the steps below:

Log into Splunk Web as an admin and navigate to Apps > Manage Apps.

1. Click Create app.2. Fill in the following data:

- Name: MyFireEyeApp - Folder Name: myfireeyeapp - Version: 1 - Visible: Yes - Author: <Your name> - Template: barebones

By default, none of the supporting directories are created without first creating a dashboard in the app. If you don’t already have a dashboard in mind that you will move to this app, you will need to create a quick dummy dashboard so you can practice customizing your app.

To create a dummy (empty) dashboard, use the following steps:

• Click “Apps” -> Select our newly-created FireEye app• Click the “Dashboards” link• Click the “Create New” button• Fill in the data• Click the “Create Dashboard” button

Page 27: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

26 www.fireeye.com

Moving a DashboardIf you have already completed a dashboard (maybe using our prior guide), you can move it to the app we just created. It is as easy as copy and paste.

1. Go to your current dashboard2. Click “Edit” -> “Edit Source”3. Highlight and copy all of the code in the text box4. Go to your new FireEye App -> Dashboard5. Create Dashboard6. Fill in the data and click the “Create Dashboard” button7. Enter the new dashboard8. Click “Edit” -> “Edit Source”9. Click in the code box and right click -> paste10. Save the new dashboard

Customizing an AppNow that we have an app and a dashboard, it is time to customize. We will demonstrate this by changing the colors of the navigation bars and icons of the app. This next part requires a little under-the-hood work, but we will walk you through it. We need access to the Splunk server’s underlying OS and directories. If you are not the administrator of the server, you may need their assistance in creating or copying the required files.

App Navigation ColorsNotice that the colors of the FireEye app are still “Splunk green”, but this too is editable. For example, look at the before and after screenshots below:

Before:

Figure 10: App color is Splunk green Figure 11: App navigation is Splunk green

Page 28: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

27 www.fireeye.com

After:

This customization is possible by editing the following file:$SPLUNK_HOME/etc/apps/fireeye/local/data/ui/nav/default.xml

Default contents:<nav search_view="search" color="#65A637"> <view name="search" default='true' /> <view name="data_models" /> <view name="reports" /> <view name="alerts" /> <view name="dashboards" /></nav>

This file is currently controlling two aspects of the dashboard:

1. The default navigation links (Search, Pivot, Reports, Alerts, Dashboards)2. The color of the navigation bars - Splunk green color is indicated above by: #65A637

We will change the color to match the dark blue in the FireEye 7.1 appliance. Using the following hex code, we can get a close color match: #21232E

After color change:<nav search_view="search" color="#21232E"> <view name="search" default='true' /> <view name="data_models" /> <view name="reports" /> <view name="alerts" /> <view name="dashboards" /></nav>

Remember to restart splunkd when finished making changes:$SPLUNK_HOME/bin/splunk restart splunkd

Figure 12: Custom FireEye appliance dark blue Figure 13: Custom FireEye appliance blue

Page 29: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

28 www.fireeye.com

App IconsIt is subtle at first, but some may notice that the Apps dropdown and Apps Launcher are missing icons. Since we just created the app, Splunk has no default icons present. For example, look at the before and after screenshots below:

Before:

After:

Figure 14: Our newly created app is missing icons Figure 15: App logo is just text

Figure 16: Custom FireEye Icons Figure 17: Custom FireEye Log

Page 30: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

29 www.fireeye.com

For us to add app icons, they first need to be created, appropriately named, and added to a specific directory for Splunk to properly populate the dashboard. The directory and filenames are listed below:

Splunk 6.0 Directory and files:Larger main app icon:$SPLUNK_HOME/etc/apps/<app_name>/static/appIcon.png $SPLUNK_HOME/etc/apps/<app_name>/ static/appIcon_2x.png

Smaller icon in the Apps dropdown:$SPLUNK_HOME/etc/apps/<app_name>/static/appIconAlt.png$SPLUNK_HOME/etc/apps/<app_name>/static/appIconAlt_2x.png

Application banner logo (right hand side of app):$SPLUNK_HOME/etc/apps/<app_name>/static/appLogo.png$SPLUNK_HOME/etc/apps/<app_name>/static/appLogo_2x.png

Splunk 5.0 Directory and files (useful for backward compatibility):Larger main app icon:$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/appIcon.png$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/appIcon_2x.png

Smaller icon in the Apps dropdown:$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/appIconAlt.png$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/appIconAlt_2x.png

Application banner logo (right hand side of app):$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/appLogo.png$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/appLogo_2x.png

Pro-tips:• Images are at least 165 pixels to provide a crisp icon, but resized by Splunk based on the

name• All images should be transparent to account for mouseover color changes• Hard refresh the screen after populating the directory with the icons. Most browsers support

a hard refresh by using Ctrl + F5

Page 31: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

30 www.fireeye.com

Dashboard DetailsNow that we have navigation colors and application icons, let’s put some finishing touches on the appearance of the dashboards. We can customize just about any portion of the dashboard using cascading style sheets (CSS)—even minor details such as the font size, 3D effect, and parts of the dashboard we could not modify using other configuration files.

For example, look at the before and after screenshots below:

Before:

Figure 18: The standard dashboard colors

After:

Figure 19: Our customized dashboard

Page 32: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

31 www.fireeye.com

This detailed customization can be done in three easy steps. First, create a custom cascading style sheet (CSS). Then we will reference that from the simple XML in our dashboard. Finally, we will restart the splunkweb service. Follow the steps below to complete this activity:

1) Create a new CSS file called custom.css with the content below in the following location:

$SPLUNK_HOME/etc/apps/<app name>/appserver/static/

If our app name from the above example was used then the path will be:

$SPLUNK_HOME/etc/apps/myfireeyeapp/appserver/static/

custom.css:

/* Set the background color of all of the nav bars to match the FireEye dashboard background color */.footer, .header, .app-bar, .nav, .nav-pills, .navbar-inner, a.dropdown toggle{ background: #21232E !important;}/* Set the color of the hyperlink text in our dashboard to white forreadability. Add 3-D effect with shadows */.app-bar .nav-pills > li > a, .nav-footer > li > a { #color:#D12131 !important; color:white !important; text-shadow: -1px 0px black, 0px 1px black, 1px 0px black, 0px -1px black; font-size:14px !important;}/* If the FireEye logo (appLogo.png or appLogoWhite.png) does not exist the text will be the correct size and color */div.app-name { color:#D12131 !important; text-shadow: -1px 0px black, 0px 1px black, 1px 0px black, 0px -1px black; font-size:26px !important;}

Page 33: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

32 www.fireeye.com

2) Edit the dummy or copied dashboard source (Edit -> Edit source) and change: <form> to: <form stylesheet="custom.css"> - or - <dashboard> to: <dashboard stylesheet="custom.css">

3) From the command line of the Splunk server restart the splunkweb service:

$SPLUNK_HOME/bin/splunk restart splunkweb

Page 34: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

33 www.fireeye.com

Sample FireEye DashboardsNow that we have walked through the process of sending data to Splunk, creating an app, and customizing the appearance, we will provide some dashboards that we have put together.

Note: All of these queries use sourcetype=fe_json; if the sourcetype name was modified, please change the queries below as well.

To add these dashboard panels to the blank FireEye dashboard, perform the following actions:

• Copy and paste the search string into the Splunk search box• Click the “Save As” button and select “Dashboard Panel”• Select “Existing” Dashboard• Select our FireEye dashboard and give the panel a title (ex: Alerts, Callback Activity, etc. )• Click “Save”

NX (web MPS)The most useful chart in the FireEye dashboard is used to look at the raw events. This dashboard is replicated below.

Alerts -> Alerts:Note: In the eval statement, all JSON fields must be referred to using single quotes (‘). This is most likely needed because the period character "." is normally used for string appends.

sourcetype=fe_json | eval UrlHash=case ('alert.name'=="malware- object",'alert.explanation.malware-detected.malware.md5sum', 'alert. name'=="web-infection", 'alert.explanation.malware-detected.malware{}. objurl', 'alert.name'=="malware-callback" OR 'alert.name'=="domain-match",'alert.explanation.cnc-services.cnc-service.address')| sort -occurred | table alert.name, alert.id, alert.explanation.malware-detected. malware.name, alert.severity, alert.occurred, alert.explanation.protocol, alert.src.ip, alert.src.port, alert.dst.ip, alert.dst.port, UrlHash | rename alert.name AS Type, alert.id AS ID, alert.explanation.malware-detected.malware.name AS Malware, alert.severity AS Severity, alert. occurred AS Occurred, alert.explanation.protocol AS Protocol, alert.src. ip AS "Source IP", alert.src.port AS "Source Port", alert.dst.ip AS "Target IP", alert.dst.port AS "Target Port", UrlHash AS "URL/Md5sum"

Page 35: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

34 www.fireeye.com

Notice that the Malware name for a web-infection event is missing:

This is because the correct value was stored in an array:

The fix for this issue requires parsing via custom regex and will be covered in a more advanced paper.

Alerts -> Callback Activity:sourcetype=fe_json "alert.name"="malware-callback" | stats count(alert. explanation.cnc-services.cnc-service.address) as "Events", distinct_ count(alert.src.ip) as "Hosts", max(alert.occurred) as "Last Seen"by alert.explanation.cnc-services.cnc-service.address | table alert. explanation.cnc-services.cnc-service.address, locations, Events, Hosts, "Last Seen" | rename alert.explanation.cnc-services.cnc-service.address as "C&C Server", locations as "Locations" | sort –"Last Seen"

Time Frames:Our first guide illustrated how to add a time range picker—this is worth mentioning here again. Click the “Edit” drop down. Click “Edit Panels”. Click “Add Time Range Picker”. Select Last 24 Hours. Click the “Done” button.

Figure 21: Adding a time range picker to our dashboard

Page 36: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

35 www.fireeye.com

Pro-tip: If for some reason, your time frame button is not working as expected (ours did not by default), you have overridden the time picker in your search. Here is how to fix it:

Go to your dashboard. Click the “Edit” drop down. Click “Edit Panels”. Click the magnifying glass drop down, and select “Edit Search String”. In the “Time Range Scope” section, select the “Dashboard” button and click save. Now the “Time Range Picker” button will function as expected.

Figure 22: Setting the Time Range Scope to use the dashboard instead of the search string time frame

Page 37: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

36 www.fireeye.com

Panels to Enhance Visibility

Now that you have a Splunk dashboard that replicates the FireEye Dashboard, let’s go further by adding more panels that will enhance the network defender’s visibility into attacks. Splunk has many visualization features that allow users to build charts and graphs for trending and analytics.

NX (web MPS)We can take some of the fields that we exposed in the FireEye dashboard above and create pie charts to summarize key data points. This can help gauge if an organization is experiencing an increase or lull in attacks, as well as identify trends in malware and Command and Control (C2) ports. Each chart below is optional and may depend on the organization or security team’s preferences.

Severity Pie Chart:sourcetype=fe_json | chart count by alert.severity Select pie chart

After typing in the search above, select the visualization tab, then pie chart. Click the “Save As” button, select “Dashboard Panel”, click the “Existing” Button. Select the FireEye Dashboard and provide a title of “Severity”. Select “View in Dashboard” to look at your new dashboard. Now, let’s move the graph to the top by clicking “Edit” -> “Edit Panels”. Drag the pie chart to the top of the screen. Click “Done” when finished. We will follow this same procedure to add the rest of the charts.

Figure 23: Current dashboard after adding severity pie chart.

Page 38: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

37 www.fireeye.com

Malware Pie Chart:sourcetype=fe_json | chart count by alert.explanation.malware-detected. malware.nameSelect pie chart

Top 20 Most Active Source IPs:sourcetype=fe_json | top limit=20 alert.src.ip Select pie chart

Top 20 Most Active Target IPs:sourcetype=fe_json | top limit=20 alert.dst.ip Select pie chart

Top 20 Most Active Destination Ports:sourcetype=fe_json | top limit=20 alert.dst.port Select pie chart

Most Active Sensors:sourcetype=fe_json | chart count by appliance Select pie chart

After arranging all of the charts, the dashboard should look similar to the following:

Figure 24: Current dashboard after adding all of the charts

Page 39: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

38 www.fireeye.com

Adding Forms (Filters)

A Splunk form allows users to supply search terms within the dashboard to assist in carving data. This user interaction can take place via text boxes, dropdown menus, radio buttons, or search terms. We will illustrate how to add a wild card to one search below as an example, but we will also provide a Simple XML Dashboard in the appendix that will apply a wildcard search to the entire dashboard. Continue on to see how this works.

Adding forms can be broken down into two steps:

1. Add tokens to search strings2. Add user input forms

Page 40: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

39 www.fireeye.com

Adding Tokens to Search StringsTokens are defined by using dollar signs ‘$’ around variable names. Let’s use our Alerts dashboard search as an example. Note the change in bold red font to compare the before and after.

Before: sourcetype=fe_json | eval UrlHash=case ('alert.name'=="malware-object",'alert.explanation.malware-detected.malware.md5sum', 'alert.name'=="web-infection", 'alert.explanation.malware-detected.malware{}.objurl', 'alert.name'=="malware-callback" OR 'alert.name'=="domain-match",'alert.explanation.cnc-services.cnc-service.address')| sort-occurred | table alert.name, alert.id, alert.explanation.malware-detected.malware.name, alert.severity, alert.occurred, alert.explanation.protocol, alert.src.ip, alert.src.port, alert.dst.ip, alert.dst.port, UrlHash | rename alert.name AS Type, alert.id AS ID, alert.explanation.malware-detected.malware.name AS Malware, alert.severity AS Severity, alert.occurred AS Occurred, alert.explanation.protocol AS Protocol, alert.src.ip AS "Source IP", alert.src.port AS "Source Port", alert.dst.ip AS "Target IP", alert.dst.port AS "Target Port", UrlHash AS "URL/Md5sum

After:sourcetype=fe_json $wild$ | eval UrlHash=case ('alert.name'=="malware- object",'alert.explanation.malware-detected.malware.md5sum', 'alert.name'=="web-infection", 'alert.explanation.malware-detected.malware{}.objurl', 'alert.name'=="malware-callback" OR 'alert.name'=="domain- match",'alert.explanation.cnc-services.cnc-service.address')| sort-occurred | table alert.name, alert.id, alert.explanation.malware-detected. malware.name, alert.severity, alert.occurred, alert.explanation.protocol, alert.src.ip, alert.src.port, alert.dst.ip, alert.dst.port, UrlHash | rename alert.name AS Type, alert.id AS ID, alert.explanation.malware-detected.malware.name AS Malware, alert.severity AS Severity, alert.occurred AS Occurred, alert.explanation.protocol AS Protocol, alert.src.ip AS "Source IP", alert.src.port AS "Source Port", alert.dst.ip AS "Target IP", alert.dst.port AS "Target Port", UrlHash AS "URL/Md5sum

Page 41: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

40 www.fireeye.com

Adding User Input FormsIf you had a time range picker on your previous dashboard, you should remove it now. We will add it back in manually which will prevent some minor annoyances. We will add this wildcard search field above the very first row which will place it at the top of our dashboard. As a reminder, we can edit the XML by clicking on the “Edit” button and selecting “Edit Source”.

Before: <form><label>FireEye</label><row><chart>

After:<form><label>FireEye</label><!-- Add time range picker --><fieldset autoRun="True"><input type="time" searchWhenChanged="true"><default><earliestTime>-24h@h</earliestTime><latestTime>now</latestTime>

</default></input>

<!-- Add Wildcard Search (Form) --><input type="text" token="wild">

<label>Search</label><default>*</default><suffix/>

</input></fieldset>

<row>

Page 42: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

41 www.fireeye.com

Pro-tip: Be sure to add the $wild$ token to all search strings for all panels on the dashboard (charts, tables, graphs, etc).

To operate the search, just change the Search field at the top of the page and search for whatever term is desired. Be sure to click the “Search” button when finished. To clear a previous search, enter an asterisk in the search field and click the “Search” button again.

Figure 25: All of the combined pieces used to create the user input form

Page 43: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

42 www.fireeye.com

For more information see the following Splunk doc: http://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/Buildandeditforms

Figure 26: Demonstrating the use of the wildcard search

Page 44: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

43 www.fireeye.com

GeoIP MapsEveryone loves a map with pretty dots on it. But how about a map with pie charts overlaid with malware distribution? This is possible using an easy two-step process outlined below:

1. Generate a search with latitude and longitude coordinates2. Editing the simple XML, change the <chart> or <table> tag to <map>

In our example below we will track where the attacks are originating, so we look at the destination IP address. However, it is possible to change the IP address to whatever suits your needs. Some may want to know which hosts are infected; thus they would map the source IP instead. Keep in mind, though, that RFC 1918 addresses do not have geoIP data associated with them.

iplocationNo Internet access is required to utilize Splunk’s iplocation command, which extracts location information using 3rd party geoIP databases.

Syntax:<search> | iplocation <field of interest>

JSON:sourcetype=fe_json | iplocation alert.dst.ip

Source: http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Iplocation

geostatsNow that we have the lat/long information from the iplocation command, we will feed that data into the geostats command, which according to Splunk:

“Generate[s] statistics which are clustered into geographical bins to be rendered on a world map.”

Source: http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Geostats

Our search string will look like the following:

sourcetype=fe_json | iplocation alert.dst.ip | geostats latfield=lat, longfield=lon count by alert.explanation.malware-detected.malware.name

Page 45: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

44 www.fireeye.com

After entering the data above in the search field, save it to the FireEye dashboard by selecting “Save As -> Dashboard Panel”. Select existing, choose the FireEye dashboard and call this GeoIP. When this new panel shows up on the dashboard, move it to the top by selecting “Edit -> Edit panels” and dragging the panel to the top. Now, edit the source by clicking “Edit Source”. Edit the simple XML and change the <chart> tag to <map>.

Once the tags are changed to map and the dashboard is saved, the GeoIP map will appear at the top of the dashboard. Please note that FireEye “Test-fire” events use RFC-1918 addresses and will not generate information on the map.

Figure 27: Changing the table tag to map

Page 46: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

45 www.fireeye.com

If you are using CEF or CSV via syslog from our introductory paper, the CSV search string is provided below:

CSV: CSV:\0:\FireEye | iplocation dst | geostats latfield=lat, longfield=lon count by sname

Figure 28: A GeoIP map at the top of our dashboard.

Page 47: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

46 www.fireeye.com

Pro-tip: We have experienced instances in which the time range picker has caused the geoIP to stop functioning. The best solution we found was to remove the time range picker, add the geoIP, and then add in the time range picker last. In our final Simple XML dashboard that we provide, we will have both geoIP and a functioning time range picker.

Figure 29: A GeoIP location map added to our dashboard maps the attacker IPs along with the threat statistics

Page 48: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

47 www.fireeye.com

Adding DrilldownsFortunately, when a user clicks any of the fields in our newly-created dashboard, by default Splunk will pivot around the query that finds the event of interest. Unfortunately, the basic default drilldown behavior is to show the raw data packet—which may not always be pretty. The upside is that this behavior can be overridden by using custom drilldowns. One option is to use <drilldown> tags. However, we will go a step beyond this by using JavaScript to control extracted fields and CSS to control visibility of a detail pane.

RequirementsUnless we are able to embed our JavaScript and CSS into the Splunk Simple XML page, we will need access to the Splunk server’s underlying OS. If you are not the administrator of the server, you may need the Splunk administrator’s assistance in creating or copying the files. Either way, we need to know where to put the files on the Splunk server so they can be referenced.

Supporting File Location:Splunk dashboards can reference CSS and JavaScript files if they are placed in the following directory:

$SPLUNK_HOME/etc/apps/<app_name>/appserver/static/

For example, our Splunk dashboard was created in the FireEye App directory, so its path will be:$SPLUNK_HOME/etc/apps/myfireeyeapp/appserver/static/

We will provide example files in the section called: “Drilldown by Event ID”, but first check out the following pro-tip.

Pro-tip: After creating new files in the static directory, remember to restart splunkweb:$SPLUNK_HOME/bin/splunk restart splunkweb

Simple modifications of files that already exist will not require a splunkweb restart. However, they will require a browser hard refresh to make sure a locally cached version of the JavaScript or CSS file is not used. Most browsers support a hard refresh by using Ctrl + F5.

Page 49: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

48 www.fireeye.com

How to Import Support Files:According to Splunk: “Use the script and stylesheet attributes to <dashboard> or <form> tags to import a JavaScript or CSS file from the default location for an app. You can also reference script and CSS files from other apps.”

For example:

Import files from the same app<dashboard script="myScript.js" stylesheet="myStyles.css">. . .</dashboard>

Source: http://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/OverviewofSimplifiedXML

Drilldown by Event IDTo demonstrate how this works, we will use a small demo page showing our FireEye alerts. This will require some Simple XML modification and two supporting files on the server.

Simple XML:<form script="inpage_drilldown_form.js" stylesheet="custom.css">

<label>Drilldown demo</label><fieldset autoRun="True" submitButton="false">

<!-- Add Time range picker -->

<input type="time" searchWhenChanged="true">

<default>

<earliestTime>-24h@h</earliestTime>

<latestTime>now</latestTime>

</default>

</input>

<!-- Add Wildcard Search (Form) -->

<input type="text" token="wild">

<label>Search</label><default>*</default>

<suffix/>

</input><!-- Input to store the drilldown value. Hidden using

javascript when the dashboard is loaded. --><input type="text" token="ID" searchWhenChanged="true"/>

</fieldset>

<row>

Page 50: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

49 www.fireeye.com

<table id="master">

<title>Alerts</title><searchString>sourcetype=fe_json $wild$ | eval

UrlHash=case ('alert. name'=="malware-object",'alert.explanation.malware-detected.malware. md5sum', 'alert.name'=="web-infection", 'alert.explanation.malware- detected.malware{}.objurl', 'alert.name'=="malware-callback" OR 'alert. name'=="domain-match",'alert.explanation.cnc-services.cnc-service. address')| sort -occurred | table alert.name, alert.id, alert.explanation. malware-detected.malware.name, alert.severity, alert.occurred, alert. explanation.protocol, alert.src.ip, alert.src.port, alert.dst.ip, alert. dst.port, UrlHash | rename alert.name AS Type, alert.id AS ID, alert. explanation.malware-detected.malware.name AS Malware, alert.severityAS Severity, alert.occurred AS Occurred, alert.explanation.protocol AS

Protocol, alert.src.ip AS "Source IP", alert.src.port AS "Source Port", alert.dst.ip AS "Target IP", alert.dst.port AS "Target Port", UrlHash AS "URL/Md5sum"</searchString>

<earliestTime>-24h</earliestTime>

<latestTime>now</latestTime>

</table>

</row>

<row>

<table id="detail"><title>Alert Detail: $ID$</title>

<searchTemplate>sourcetype=fe_json alert.id=$ID$ $wild$ | table _raw, alert.alert-url</searchTemplate>

<earliestTime>-24h</earliestTime>

<latestTime>now</latestTime>

</table>

</row>

</form>

Page 51: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

50 www.fireeye.com

Supporting files on the server:inpage_drilldown_form.css

#field3 {

/* Hide all form fields */ display: none;

}

Since this is minor, we can add it to our previous custom.css:/* Set the background color of all of the nav bars to match the FireEye dashboard background color */

.footer, .header, .app-bar, .nav, .nav-pills, .navbar-inner, a.dropdown- toggle {

background: #21232E !important;

}/* Set the color of the hyperlink text in our dashboard to white for readability. Add 3-D effect with shadows */

.app-bar .nav-pills > li > a, .nav-footer > li > a {

#color:#D12131 !important; color:white !important;text-shadow: -1px 0px black, 0px 1px black, 1px 0px black, 0px -1px black;font-size:14px !important;}

/* If the FireEye logo (appLogo.png or appLogoWhite.png) does not exist the text will be the correct size and color */

div.app-name {

color:#D12131 !important;

text-shadow: -1px 0px black, 0px 1px black, 1px 0px black, 0px -1px black;

font-size:26px !important;}

/* Hide the drilldown "Details" box when it is unpopulated */

#field3 {

/* Hide all form fields */ display: none;

}

Page 52: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

51 www.fireeye.com

inpage_drilldown_form.jsrequire(['jquery','underscore','splunkjs/mvc','util/console','splunkjs/mvc/ simplexml/ready!'], function($, _, mvc, console){

// Get a reference to the dashboard panels var masterView = mvc.Components.get('master'); var detailView = mvc.Components.get('detail');

var unsubmittedTokens = mvc.Components.get('default'); var submittedTokens = mvc.Components.get('submitted'); var urlTokens = mvc.Components.get('url');

if(!submittedTokens.has('ID')) {// if there's no value for the $sourcetype$ token yet,

hide the dashboard panel of the detail viewdetailView.$el.parents('.dashboard-panel').hide();

}submittedTokens.on('change:ID', function(){

// When the token changes... if(!submittedTokens.get('ID')) {

// ... hide the panel if the token is not defined detailView.$el.parents('.dashboard-panel').hide();

} else {// ... show the panel if the token has a value detailView.$el.parents('.dashboard-panel').show();

}});

masterView.on('click', function(e) { e.preventDefault();

var newValue = e.data['row.ID'];// Submit the value for the sourcetype field unsubmittedTokens.set('form.ID', newValue); submittedTokens.set(unsubmittedTokens.toJSON()); urlTokens.saveOnlyWithPrefix('form\\.', unsubmittedTokens.toJSON(),{

replaceState: false

});});

});

Page 53: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

52 www.fireeye.com

The behavior when first visiting the page shows no detail pane:

After the event is clicked, a detail pane can be seen below:

This event will be displayed until another event is clicked. The details pane can be hidden by refreshing the page.

Figure 30: No events clicked yet, thus the detail pane is hidden from view

Figure 31: Detailed pane drilldown shown above

Page 54: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

53 www.fireeye.com

ConclusionUsing a FireEye device, a free demo of Splunk, and Google, we were able to investigate the different HTTP POST formats for replicating FireEye Dashboards in Splunk. In writing this guide, we have discovered that there are many ways to tackle integrating these two devices because FireEye provides robust event notification and Splunk is flexible when ingesting and presenting these events. We are sharing this information in the hope that you will be inspired by seeing even just a fraction of what is possible. Who knows, it may save you a little time as well. We would love to hear your feedback, including sample FireEye dashboards and any pro-tips you have for consuming and displaying data in Splunk.

Page 55: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

54 www.fireeye.com

TroubleshootingThere are many methods that can be used to troubleshoot connection issues. Below is just one example:

Using CurlUsing any Linux host, or Cygwin on Windows perform the following:

Step 1) echo test > test.xml

Step 2)curl -k -g --user <username>:<password> --data-binary @test.xml "https://<splunkServer>:<port>/services/receivers/simple?host=<SendingIP>&source= fe_test&sourcetype=fe_xml"

Ex:curl -k -g --user fireeye:password --data-binary @test.xml "https://192.168.33.152:8089/services/receivers/simple?host=192.168.33.152&source= fe_test&sourcetype=fe_xml"

Result:

You should see something similar to the following response from Splunk after issuing the command above:

<?xml version="1.0" encoding="UTF-8"?>

<response>

<results>

<result><field k="_index">

<value>

<text>default</text>

</value></field>

<field k="bytes">

<value>

<text>4</text>

</value></field>

<field k="host">

<value>

Page 56: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

55 www.fireeye.com

<text>Source IP Address here</text>

</value></field>

<field k="source">

<value>

<text>fe_alert</text>

</value></field>

<field k="sourcetype">

<value>

<text>fe_xml</text>

</value></field>

</result>

</results>

</response>

Splunk Search:After the data is successfully sent to Splunk, you should be able to search for it using the following search term:

source=fe_test

You should see “test” as the message body because it was in the body of test.xml

Page 57: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

Email: Tony.Lee -at- FireEye.comLinked-in: http://www.linkedin.com/in/tonyleevt

Special Thanks Dennis Hanzlik Dan Dumond Ian AhlDave PanyKaren KukodaLeianne LambBrian StonerGunpreet Singh Kate Scott

About FireEyeFireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,500 customers across 65 countries, including over 150 of the Fortune 500.

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.fireeye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. SPT.CSS.EN-US.102014

About the Author Tony Lee has more than ten years of professional experience pursuing his passion in all areas of information security. He is currently a Technical Director at Mandiant, a FireEye Company, advancing many of the network penetration testing service lines. His interests of late are kiosk hacking, post exploitation tactics, and malware research. As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every

opportunity to share knowledge as a contributing author to Hacking Exposed 7, frequent blogger, and a lead instructor for a series of classes. He holds a Bachelor of Science degree in computer engineering from Virginia Polytechnic Institute and State University and a Master of Science degree in security informatics from The Johns Hopkins University.

Page 58: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

57 www.fireeye.com

Appendix ASample code to build a robust dashboard of maps, charts, forms, and detailed drilldown panels.

custom.css

/* Set the background color of all of the nav bars to match the FireEye dashboard background color */

.footer, .header, .app-bar, .nav, .nav-pills, .navbar-inner, a.dropdown- toggle {

background: #21232E !important;

}

/* Set the color of the hyperlink text in our dashboard to white for readability. Add 3-D effect with shadows */

.app-bar .nav-pills > li > a, .nav-footer > li > a {

#color:#D12131 !important; color:white !important;text-shadow: -1px 0px black, 0px 1px black, 1px 0px black, 0px -1px

black;

}

font-size:14px !important;

/* If the FireEye logo (appLogo.png or appLogoWhite.png) does not exist the text will be the correct size and color */

div.app-name {

color:#D12131 !important;

text-shadow: -1px 0px black, 0px 1px black, 1px 0px black, 0px -1px

black;

}

font-size:26px !important;

Page 59: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

58 www.fireeye.com

/* Hide the drilldown "Details" box when it is unpopulated */

#field3 {

/* Hide all form fields */ display: none;

}

Simple XML:

<form script="inpage_drilldown_form.js" stylesheet="custom.css">

<label>FireEye JSON - With Drilldown and Filter</label><fieldset autoRun="True">

<input type="time" searchWhenChanged="true">

<default>

<earliestTime>-24h@h</earliestTime>

<latestTime>now</latestTime>

</default>

</input>

<!-- Add Wildcard Filter -->

<input type="text" token="wild">

<label>Search</label><default>*</default>

<suffix/></input><!-- Used for dropdown - Input field hidden using javascript. <div

id =

#field3 -->

<input type="text" token="ID" searchWhenChanged="true"/><!-- Add time range picker -->

</fieldset>

<row><map>

<title>GeoIP Dest</title><searchString>sourcetype=fe_json $wild$ | iplocation alert.dst.ip

| geostats latfield=lat, longfield=lon count by alert.explanation.malware- detected.malware.name</searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

</map></row><row><chart>

<title>Severity</title>

Page 60: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

59 www.fireeye.com

<searchString>sourcetype=fe_json $wild$ | chart count by alert. severity</searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="charting.axisTitleX.visibility">visible</option><option name="charting.axisTitleY.visibility">visible</option><option name="charting.axisX.scale">linear</option><option name="charting.axisY.scale">linear</option><option name="charting.chart">pie</option><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.sliceCollapsingThreshold">0.01</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">shiny</option><option name="charting.drilldown">all</option><option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle. overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option></chart><chart>

<title>Malware</title><searchString>sourcetype=fe_json $wild$ | chart count by alert.

explanation.malware-detected.malware.name</searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="charting.axisTitleX.visibility">visible</option><option name="charting.axisTitleY.visibility">visible</option><option name="charting.axisX.scale">linear</option><option name="charting.axisY.scale">linear</option><option name="charting.chart">pie</option><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.sliceCollapsingThreshold">0.01</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">shiny</option><option name="charting.drilldown">all</option><option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle. overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option></chart><chart>

<title>Top 20 Source</title>

Page 61: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

60 www.fireeye.com

<searchString>sourcetype=fe_json $wild$ | top limit=20 alert.src.ip</ searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="charting.axisTitleX.visibility">visible</option><option name="charting.axisTitleY.visibility">visible</option><option name="charting.axisX.scale">linear</option><option name="charting.axisY.scale">linear</option><option name="charting.chart">pie</option><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.sliceCollapsingThreshold">0.01</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">shiny</option><option name="charting.drilldown">all</option><option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle. overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option></chart><chart>

<title>Top 20 Target</title><searchString>sourcetype=fe_json $wild$ | top limit=20 alert.

dst.ip</ searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="charting.axisTitleX.visibility">visible</option><option name="charting.axisTitleY.visibility">visible</option><option name="charting.axisX.scale">linear</option><option name="charting.axisY.scale">linear</option><option name="charting.chart">pie</option><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.sliceCollapsingThreshold">0.01</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">shiny</option><option name="charting.drilldown">all</option><option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle. overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option></chart><chart>

<title>Top 20 Dest Ports</title><searchString>sourcetype=fe_json $wild$ | top limit=20 alert.dst.

Page 62: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

61 www.fireeye.com

port</searchString>

<earliestTime>$earliest$</earliestTime><latestTime>$latest$</latestTime>

<option name="charting.axisTitleX.visibility">visible</option><option name="charting.axisTitleY.visibility">visible</option><option name="charting.axisX.scale">linear</option><option name="charting.axisY.scale">linear</option><option name="charting.chart">pie</option><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.sliceCollapsingThreshold">0.01</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">shiny</option><option name="charting.drilldown">all</option><option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle. overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option></chart><chart>

<title>Sensor</title><searchString>sourcetype=fe_json $wild$ | chart count by

appliance</ searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="charting.axisTitleX.visibility">visible</option><option name="charting.axisTitleY.visibility">visible</option><option name="charting.axisX.scale">linear</option><option name="charting.axisY.scale">linear</option><option name="charting.chart">pie</option><option name="charting.chart.nullValueMode">gaps</option><option name="charting.chart.sliceCollapsingThreshold">0.01</option><option name="charting.chart.stackMode">default</option><option name="charting.chart.style">shiny</option><option name="charting.drilldown">all</option><option name="charting.layout.splitSeries">0</option>

<option name="charting.legend.labelStyle. overflowMode">ellipsisMiddle</option>

<option name="charting.legend.placement">right</option></chart>

</row><row><table id="master">

<title>Alerts</title>

Page 63: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

62 www.fireeye.com

<searchString>sourcetype=fe_json $wild$ | eval UrlHash=case ('alert. name'=="malware-object",'alert.explanation.malware-detected.malware. md5sum', 'alert.name'=="web-infection", 'alert.explanation.malware- detected.malware{}.objurl', 'alert.name'=="malware-callback" OR 'alert. name'=="domain-match",'alert.explanation.cnc-services.cnc-service. address')| sort -occurred | table alert.name, alert.id, alert.explanation. malware-detected.malware.name, alert.severity, alert.occurred, alert.src. ip, alert.src.port, alert.dst.ip, alert.dst.port, UrlHash | rename alert. name AS Type, alert.id AS ID, alert.explanation.malware-detected.malware. name AS Malware, alert.severity AS Severity, alert.occurred AS Occurred, alert.src.ip AS "Source IP", alert.src.port AS "Source Port", alert.dst.ip

AS "Target IP", alert.dst.port AS "Target Port", UrlHash AS "URL/Md5sum"</ searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="wrap">true</option><option name="rowNumbers">false</option><option name="dataOverlayMode">none</option><option name="drilldown">row</option><option name="count">10</option>

</table></row><row><table id="detail">

<title>Alert Detail: $ID$</title>

<searchString>sourcetype=fe_json alert.id=$ID$ $wild$ | table _raw, alert.alert-url</searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="wrap">true</option><option name="rowNumbers">false</option><option name="dataOverlayMode">none</option><option name="drilldown">row</option><option name="count">10</option>

</table></row><row><table>

<title>Callbacks</title><searchString>sourcetype=fe_json "alert.name"="domain-match" $wild$

| stats count(alert.explanation.cnc-services.cnc-service.address)

Page 64: FireEye Splunk InterFireEye + Splunk: Intermediate Guidemediate Guide

63 www.fireeye.com

as "Events", distinct_count(alert.src.ip) as "Hosts", max(alert.occurred) as "Last Seen" by alert.explanation.cnc-services.cnc-service.address | table alert.explanation.cnc-services.cnc-service.address, alert.explanation.cnc- services.cnc-service.location, Events, Hosts, "Last Seen" | rename alert. explanation.cnc-services.cnc-service.address as "C&amp;C Server", alert. explanation.cnc-services.cnc-service.location as "Locations" | sort –"Last Seen"</searchString><earliestTime>$earliest$</earliestTime>

<latestTime>$latest$</latestTime>

<option name="wrap">true</option><option name="rowNumbers">false</option><option name="dataOverlayMode">none</option><option name="drilldown">row</option><option name="count">10</option>

</table></row>

</form>


Recommended