Thursday, May 22, 2014

Stopgap: Splunk for FireEye v2 App

By Tony Lee


Introduction
Technology is always progressing… which is great for the most part.  However, progression can sometimes cause compatibility issues when trying to merge two ever-evolving technologies--such as Splunk and FireEye.  This quick post should help get you up and running using the current Splunk for FireEye v2 App.  Preliminary testing shows that the patched version of the app (v2.0.8) should (at a minimum) work with Splunk and FireEye wMPS (NX) OS versions in the table below when following the instructions in this post.


Version
FireEye wMPS (NX) OS 6.X
FireEye wMPS (NX) OS 7.X
Splunk v5
OK
OK
Splunk v6
OK
OK

Outline
  • Background
  • Download
  • Installation from file
  • Creating a Splunk user
  • Configuring FireEye
  • Conclusion


Background
Knowing the background behind the Splunk v2.0.8 patch isn’t needed to make this work, but for those that are curious--see the following link:
http://answers.splunk.com/answers/123168/fireeye-built-in-dashboards-not-working

Download
There are four components that need to be downloaded--all of them require a free Splunk account, so you will need to register if you don’t already have an account.  Even though it is possible, do not try to download the three apps below from within the Splunk App Manager.  Download them from a web browser and save the apps in a directory that you can find later.


  1. Splunk (if not already installed) - http://www.splunk.com/download
  2. Splunk for FireEye App - https://apps.splunk.com/app/409/
  3. Splunk for Google Maps - http://apps.splunk.com/app/368/
  4. Splunk for Geo Location Lookup Script - http://apps.splunk.com/app/291/


Figure 1:  Downloading the apps using a web browser

Installation from file
First install Splunk if you did not already have it installed.  Now install the apps that we previously downloaded to disk.


For Splunk v6, use Apps Manage Apps -> Install app from file -> Browse


Figure 2:  Using app manager to install from file


Navigate to the following apps that you downloaded in the prior step, installing them one by one:
  • Splunk for Google Maps
    • google-maps_113.tgz
  • Splunk for Geo Location Lookup Script
    • geo-location-lookup-script-powered-by-maxmind_106.tgz
  • Splunk for FireEye App
    • fireeye_208.tgz


(Perform any necessary Splunk restarts when requested)


Figure 3:  Uploading the apps
Now that all of the apps are installed, the FireEye and GoogleMaps app should show up in the Splunk Home.
Figure 4:  Apps are installed

Creating a Splunk User
Since the Splunk for FireEye App uses HTTP Post to send FireEye XML data, we need to create a Splunk account that will be used for authentication to post our event data.
Note:  Make sure the account name is alphanumeric only (no whitespaces)
Example username:  fireeye


For Splunk v6, complete the following steps:
  • Log into the Splunk web UI with an admin account
  • Click “Settings -> Users and authentication -> Access Controls”
  • Click “Users” -> Click the "New" button
  • Fill in the required data
  • Privilege Note:  admin role is required (user and power user are not sufficient)
  • Click the "Save" button


C:\Users\tony.lee\AppData\Local\Temp\SNAGHTML4ac25578.PNG
Figure 5:  Creating the Splunk admin account that will accept our HTTP POST messages.

Configuring FireEye
Complete the following steps to send data to Splunk using extended XML via HTTP Post:
  • Log into the FireEye appliance with an administrator account
  • Click “Settings”
  • Click “Notifications”
  • Click the “http” hyperlink
  • Make sure the "Event type" check box is selected
  • Click the “Apply Settings” button


Next to the "Add HTTP Server" button, type "SplunkHTTP". Then click the "Add HTTP Server" button.
Next to the newly created SplunkHTTP entry, ensure the following check boxes are selected:
  • Enabled
  • Auth
  • SSL Enable


Enter the remaining settings:
Server URL:   https://<SplunkAD.DR.ESS>:<PORT>/services/receivers/simple?source=<FireEyeAddress>&sourcetype=fe_xml&index=fe
Username:  fireeye (or username you created in Splunk)
Password:  <password you created above in Splunk>


Note:  The default port used above is 8089--unless it has been changed.


Ex:  https://192.168.33.152:8089/services/receivers/simple?source=FEwMPS1&sourcetype=fe_xml&index=fe


Notifications: Select All Events (recommended)
Delivery: Select Per Event (recommended)
Message Format: XML Extended (recommended, but any XML option can be used)


Remember to click the “Update” button when finished.
Figure 6:  Steps to configure the FireEye appliance to send data to Splunk
Now test the sending and receiving of notifications on the same FireEye Notifications page by clicking the "Test-Fire" button at the bottom.   Flip back over to the Splunk interface and check out the event data in the FireEye App.
Figure 7:  FireEye Overview dashboard


Figure 8:  Malware Overview dashboard

Conclusion
These instructions are intended to help users bridge the gap to the latest version of Splunk and FireEye while a new app is in the works.  Let us know if this worked for you or if you have any issues that we can help solve in the meantime.  Thanks for reading.


Special Thanks To
Ian Ahl
Dennis Hanzlik
Josh McCarthy
Karen Kukoda
Leianne Lamb

2 comments:

  1. I just installed the Splunk for FireEye v2 app per your instructions above. However, I am running v6.1.1 of Splunk and when I launch the app on the main page there's errors above the Google Map. Can the FireEye v2 app use SplunkMap View?

    ReplyDelete
    Replies
    1. Thanks for the feedback Jeff. Unfortunately I did not try this solution on Splunk 6.1.1 since it was not available at the time. I don't believe we had any errors with the Google Map. To suggest some troubleshooting: Did you install it manually? Did you try uninstalling and reinstalling the apps? If you post the error message here I may be able to look into it for you. Also, to be honest, we are moving away from that version of the app with a complete rewrite of the Splunk for FireEye app which will be available for download in the Splunk store soon.

      Delete