All Apps and Add-ons

FireEye App for Splunk Enterprise v3: Why is the app not displaying any data in the dashboard and event view?

tung62
New Member

I have installed FireEye App for Splunk Enterprise v3 in Splunk 6.x. FireEye EX 7.x sends XML syslog to Splunk.

I set the sourcetype as "fireeye" in Splunk, I can successfully search the fireeye log by sourcetype=fireeye". However the FIreEye App 3.0 does not show any data in dashboard and in event view.

the log format received as attachedalt text:

0 Karma

TonyLeeVT
Builder

Please see the valid sourcetypes section in the Details page below. For this format, you need to use fe_xml_syslog. It may be best to start simple (ex: fe_cef_syslog) though and then go to a more robust format.

https://splunkbase.splunk.com/app/1845/#/details

Pasted below for your convenience:

Sourcetypes
Supported protocols and corresponding sourcetypes are:

Protocol/format Sourcetype
1) JSON over HTTPS        fe_json
2) XML over HTTPS          fe_xml
3) CEF over SYSLOG - TCP    fe_cef_syslog
4) CEF over SYSLOG - UDP    fe_cef_syslog
5) XML over SYSLOG - TCP    fe_xml_syslog
6) XML over SYSLOG - UDP    fe_xml_syslog
7) JSON over SYSLOG - TCP   fe_json_syslog
8) JSON over SYSLOG - UDP   fe_json_syslog
9) CSV over SYSLOG - TCP    fe_csv_syslog
10) CSV over SYSLOG - UDP   fe_csv_syslog
HX Endpoint Appliance   hx_cef_syslog
Threat Analytics Platform (TAP) fe_tap_json
Email Threat Prevention (ETP)   fe_etp
0 Karma

tung62
New Member

And I would like to highlight to you that the statistic (e.g. Total Malicious Email, Attachement) are not correct. This is because fireeye sends two or more events for single email if the email attachment is zipped. It can't simply count the user or hash. The logic may be complex.

0 Karma

tung62
New Member

I modify your extraction "fe_xml_syslog : EXTRACT-mail_suser_duser_for_fireeye". The domain field is removed from your extraction, then it works. the raw log does not have domain field.

0 Karma

tung62
New Member

after change sourcetype=fe_xml_syslog, some dashboards (e.g. serverity, malware)
can shows content. However, some dashboards (e.g. senders, recipients) show no content. The fireeye app cannot parse the xml log to extracts some fields.alt text

0 Karma

TonyLeeVT
Builder

So you are parsing EX events. We would need to set up a VTC to see why it is not parsing. Feel free to send an email via the app (Help -> Send Feedback) so we can set one up.

Alternatively, did you try switching to sourcetype fe_cef_syslog and changing the FEYE appliances to use syslog and CEF to see if that meets your needs?

0 Karma

tung62
New Member

Do you mean that I need manually set the source type as "fe_xml_syslog" in the Splunk's Data Inputs setting page?

0 Karma

TonyLeeVT
Builder

Instead of setting it to fireeye as you mentioned before. Set it to fe_xml_syslog, then let us know if it works.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...