All Apps and Add-ons

How do I get a copy of the EX analysis alert into Splunk?

Contributor

Currently the FE EX sends an email alert with analysis and the email header information. I want to pull those alerts into Splunk so I can parse out the header information and other characteristics of the analysis from the alert. Is this possible? Please advise with steps if possible.

Thank you

0 Karma
1 Solution

Builder

Sorry for the delay. This took a while to set up the difference scenarios to see which formats actually sent the SMTP header information. The SMTP headers are available for the following formats:

1)  JSON extended   (not JSON concise and not JSON normal)
  It is properly parsed by Splunk using:   alert{}.smtp-message.smtp-header

2)  XML extended and normal   (not XML concise)
  It is indicated by the <smtp-header> but does not get properly parsed due to spaces

To be honest we have not spent a whole lot of time parsing the extended formats because it can generate more than 300,000 lines of information. Splunk does not seem to like extremely large events--instead it seems to prefer many smaller events.

Send me an email via the Help -> Send Feedback link within the FireEye Splunk app and we will see what we can do.

View solution in original post

0 Karma

Builder

Sorry for the delay. This took a while to set up the difference scenarios to see which formats actually sent the SMTP header information. The SMTP headers are available for the following formats:

1)  JSON extended   (not JSON concise and not JSON normal)
  It is properly parsed by Splunk using:   alert{}.smtp-message.smtp-header

2)  XML extended and normal   (not XML concise)
  It is indicated by the <smtp-header> but does not get properly parsed due to spaces

To be honest we have not spent a whole lot of time parsing the extended formats because it can generate more than 300,000 lines of information. Splunk does not seem to like extremely large events--instead it seems to prefer many smaller events.

Send me an email via the Help -> Send Feedback link within the FireEye Splunk app and we will see what we can do.

View solution in original post

0 Karma

Contributor

Thank you for the response. I follow some of what you are saying but I am still not understanding entirely what I would need to do.

For clarity I will explain the scenario.
FE EX sends an email alert to me. The alerts of interest are malicious attachment or malicious link detected. I would like to extract the following information from the alert (and possibly other characteristics)
From:
To:
Subject:
Date:
original: (name of malicious attachment)
or
url: (name of malicious link)

Is this possible natively in the FE App?
Is this information only in the extended FE logs and I need to ingest and then parse the extended logs? (by the method you mention previously)

Please explain where I should add the extended logs to the same index (for example Main)?

Thank you very much.

0 Karma

Builder

It sounds like you do not have the app installed. The links below should help you. The search head should have only the app installed (do not install the app and TA on the search head). Use only the TA for everything else. The link to the configuration guide at the bottom should help you configure everything and send test events to Splunk so you can see what is parsed.

App:
https://splunkbase.splunk.com/app/1845/

TA:
https://apps.splunk.com/app/1904/

Configuration guide:
https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for...

If you have other issues, please feel free to send me an email via the Help -> Send Feedback link within the FireEye Splunk app.

0 Karma

Builder

Your wanting to ingest the email's for the purpose of removing the email header information so you can then send out the email From splun (?) without sensitive information from the header? I need more background on what your trying to achieve... I don't know much about this add on for splunk but to me it seems if there's an add on in splunk that sends out email then there should be a way within splunk to control that

is the the information not being sent from splunk? If no, then go to the source of where the email is being sent and see if you can get creative in how splunk ingest that data

Sorry i'm not much help but i saw your's had 0 responses and decided to give it a shot!

0 Karma

Contributor

Yes the problem is ingesting the email alerts from FireEye, which are not included in the FireEye App. I want to get FireEye to log the email alerts and send them to Splunk. The email alerts have more actionable information than the native information in the FireEye App. This question is probably best answered by someone who knows how to enable those logs in FireEye.

0 Karma