Sunday, August 23, 2015

FireEye Splunk App Introduces the Toolbox

By Tony Lee

Introduction

Splunk development has been a hobby of mine for a while now and the FireEye/Splunk app has been my outlet (when I get a fee night or weekend).  I enjoy it because it is fun to see what you can create and even more fun to see how many people use the app and how they use it.  The latest feature of the FireEye app will hopefully get a lot of use because the potential is unlimited.

The Toolbox

I have helped SOC personnel investigate incidents and found it a bit cumbersome to search for and launch different tools--especially in a segment of the network that has no Internet access.  Therefore, what I would like to do in the next couple of app releases is bring the tools to the analysts.  This effort really started with the last release by introducing Virus Total lookups directly from the app (both hash and IP/URL).  This time we are introducing two new tools:  a base64 converter and a URL decoder.  This could help investigators potentially decode C2 traffic, exploits, and attack URLs all without leaving the app.


Installation Note

After installing version 3.0.7 of the app, you may need to clear the local files--such as:

local/data/ui/nav/default.xml

This local copy of the file may prevent you from seeing the new Toolbox menu that appears in the screenshots below.

VirusTotal Lookup

As mentioned before, this feature was introduced in the last update, but if you have not seen the output, it is worth taking a look.  This tool requires Internet access, but we supply an API key for your convenience.



Base64 Converter

This tool allows responders to encode and decode Base64 data by changing the operation.  This tool does not require Internet access.


URL Decoder

This last tool in the toolbox enables users to decode obfuscated URLs.  This tool does not require Internet access.


Conclusion

Hopefully you will find these tools useful.  Additionally, feel free to provide feedback on any tools you would like to see added to the Toolbox.


No comments:

Post a Comment