FIREEYE APP FOR SPLUNK ENTERPRISE 6.X: Configuration

FIREEYE APP FOR SPLUNK ENTERPRISE 6.X: Configuration
S P E C I A L
R E P O R T
FIREEYE APP FOR
SPLUNK ENTERPRISE 6.X
Configuration Guide Version 1.3
SECURITY
REIMAGINED
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
CONTENTS
Welcome3
Supported FireEye Event Formats
3
Original Build Environment
4
Possible Dashboard Configurations
4
Installing the FireEye App for Splunk Enterprise
7
Manual Installation Procedures
7
Configuring the FireEye App for Splunk Enterprise
8
Configuring Splunk
SYSLOG - TCP & UDP
9
9
HTTPS via Splunk RESTful API
11
Splunk User
13
Configuring FireEye (NX, EX, AX, FX)
14
Explanation of protocols
14
CEF over SYSLOG (TCP)
15
JSON over HTTPS
16
Optional Indexing
18
Integrating FireEye PX
19
Integrating FireEye HX
21
Integrating FireEye Threat Analytics Platform (TAP)
23
How it works
23
Requirements23
Configuring the FireEye TAP API
24
Troubleshooting30
Using Curl
30
Splunk Search
31
About the Author 32
Special Thanks
32
About FireEye, Inc. 32
2
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Welcome
This document provides instructions on installing the FireEye App for Splunk Enterprise and configuring the
devices to communicate.
Supported FireEye Event Formats
Explanation of protocols
Easiest to configure
#
Protocol
Enc
Reason
1
SYSLOG - TCP CEF
No
TCP does not require command-line configuration on FireEye Appliance
2
SYSLOG - UDP CEF
No
Provides more data than CSV
3
SYSLOG - TCP CSV
No
TCP does not require command-line configuration on FireEye Appliance
4
SYSLOG - UDP CSV
No
JSON provides more data than CEF and CSV
Requires more effort to configure
#
Protocol
Enc
Reason
1
SYSLOG - TCP XML
No
TCP does not require command-line configuration on FireEye Appliance
2
SYSLOG - UDP XML
No
XML provides more data than CEF and CSV
3
SYSLOG - TCP JSON
No
TCP does not require command-line configuration on FireEye Appliance
4
SYSLOG - UDP JSON
No
Last resort - May not send protocol field
Most effort to configure
#
Protocol
Enc
Reason
1
HTTPS JSON
Yes
Encrypted, lighter than XML
2
HTTPS XML
Yes
Encrypted
General notes
■■
■■
■■
When sending JSON or XML to EX, use concise alerting
For everything else, use normal alerting
Try the easiest to configure first. Then progress to most effort if necessary.
Warning
Preference is to use TCP, but if UDP is necessary -- set FireEye UDP syslog to max chunk-size of 4096:
ssh admin@<FireEyeBox> en conf t
fenotify rsyslog trap-sink <splunk_connector> chunk-size 4096
3
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Original Build Environment
■■
■■
Linux base OS
Splunk 6.X - Non-distributed environment
Possible Dashboard Configurations
■■
■■
■■
■■
■■
Analytics: User-provided content. Feel free to contribute favorite dashboards via the feedback link within the app.
Visualization: Intended as a heads-up display for a NOC/SOC. GeoIP, trends, and charts.
Analysis: Analyst dashboard contains more detailed event data
Comprehensive: All panels displayed on one screen--Visualization + Comprehensive
Toolbox: Useful tools for investigators that include third-party lookups
Screenshots
The screenshots below provide default dashboards included in the FireEye App for Splunk Enterprise.
Figure 1: Analytics Dashboard
4
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Figure 2: FireEye NX Visualization
Figure 3: FireEye NX Analysis
5
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Figure 4: FireEye EX Visualization
Figure 5: FireEye EX Analysis
6
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Installing the FireEye App for Splunk Enterprise
Use the App Manager within Splunk or follow the manual installation instructions below:
Manual Installation Procedures
1. Download the .spl or .tgz file.
2. Navigate to “Apps” -> “Manage Apps”.
3. Click on “Install app from file”.
4. Upload the downloaded file using the form provided.
5. Restart if the app requires it.
$SPLUNK_HOME/bin/splunk restart
Upon successful installation, the following screen will be present:
Figure 6: Successful Installation Message
7
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Configuring the FireEye App for Splunk Enterprise
FireEye realizes that every customer may not own the entire suite of appliances, thus the FireEye app allows the user to
customize their menu options to only contain the necessary appliances. This can be done by performing the following actions:
1. Log into Splunk using an Administrator account
2. We have made it easy to setup and change the menus by going to Help -> Configure App
Figure 7: Help menu shows option to configure the application
3. In the next screen, users can enable certain FireEye products and optionally Daily Reports
Figure 8: FireEye App for Splunk Enterprise configuration screen
4. Restart Splunk when the following message appears: “Successfully updated FireEye_v3” in the top left hand corner
of the screen.
$SPLUNK_HOME/bin/splunk restart
8
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Configuring Splunk
There are many options for configuring Splunk, but the main options are listed below. You choice will depend
on the constraints in your environment.
Explanation of Protocols:
#
Protocol
Enc
Reason
1
SYSLOG - TCP
No
Easier to send large amounts of data than UDP
2
SYSLOG - UDP
No
Last resort - requires shell configuration of FireEye devices
3
HTTPS via Splunk
RESTful API
Yes
Encrypted, flexible sending large amounts of data
SYSLOG - TCP & UDP
The steps below should assist in the setup. The instructions below show TCP, but can easily be changed if UDP is
required.
Creating Connectors
Now that we have Splunk ready to go, we have to create the connection between the FireEye and Splunk devices. This
involves creating a Splunk listener and configuring the FireEye device to send the data.
Splunk Listener
The Splunk listener needs to be configured so it can receive data from other devices. Perform the following steps to
create the listener:
■■
■■
■■
■■
■■
■■
■■
■■
Again, log into the Splunk web UI with an admin account
Click “Settings -> Data inputs -> Add data button”
Click “From a TCP port”
Enter “514” for the port
Set Source Type: From list
Select source type from list: syslog
Click the “Save” button
Click the “Back to home” link
Both FireEye and Splunk allow syslog over TCP. Using TCP, there are fewer concerns with data that is too large for
SYSLOG—thus it is recommended.
9
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Figure 9: Adding a data connector in Splunk
Figure 10: Adding a data connector in Splunk
10
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
HTTPS via Splunk RESTful API
The steps below should assist in the setup.
Splunk Listener
A default installation of Splunk 6.0 or later should automatically be listening via the RESTful API on port 8089. However,
this can be verified by navigating to this API using a standard web browser: https://<SplunkBox>:8089
Figure 11: Splunk RESTful API is available on the default port 8089
11
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
If for whatever reason, you are not able to connect to this port, you can verify the service and port number using the
following steps:
Using a web browser, log in to the web interface: http://<SplunkBox>:8000
■■
■■
Username: <admin account>
Password: <password>
Set up the Splunk listener:
■■
■■
■■
■■
Click the “Settings” hyperlink in the top right hand corner of Splunk
Under “System”, click “System settings”
Click “General Settings”
Note the value in the “Management port” field
Figure 12: The port that Splunk uses for its RESTful API
Splunk Role
We now want to create a user in Splunk that will be used for passing the RESTful API data. However, there is currently
no predefined Splunk role that can perform the job while adhering to the principle of least privilege. We could just assign
our new user the “admin” role, but this would create a more severe situation should this account ever become
compromised.
The following instructions will create a Splunk role that has only the ability to accept data via the RESTful API:
■■
■■
■■
■■
■■
Log into the Splunk web UI with an admin account
Click “Settings -> Users and authentication -> Access controls”
Click “Roles” -> Click the “New” button
Role Name: RESTfulAPI
Capabilities: edit_tcp
12
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Splunk User
Now that we have created a secure role, we need to create an account that will be used for authentication to post our
event data.
Note:
■■
■■
■■
■■
■■
■■
■■
■■
Make sure the account name is alphanumeric only (no whitespaces)
Make sure password is 17 characters or less
• Example username: fireeye
Again, log into the Splunk web UI with an admin account
Click “Settings -> Users and authentication -> Access controls”
Click “Users” -> Click the “New” button
Fill in the required data
Privilege Note: Remember to use our newly created restfulapi role
Click the “Save” button
Figure 13: Creating the Splunk admin account that will accept our HTTP POST messages.
13
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Configuring FireEye (NX, EX, AX, FX)
There are many options for installation, but the most reliable options are listed below in order of preference.
You choice will depend on the constraints in your environment.
Explanation of protocols
Easiest to configure
#
Protocol
Enc
Reason
1
SYSLOG - TCP CEF
No
TCP does not require command-line configuration on FireEye Appliance
2
SYSLOG - UDP CEF
No
Provides more data than CSV
3
SYSLOG - TCP CSV
No
TCP does not require command-line configuration on FireEye Appliance
4
SYSLOG - UDP CSV
No
Last resort - May not send protocol field
Requires more effort to configure
#
Protocol
Enc
Reason
1
SYSLOG - TCP XML
No
TCP does not require command-line configuration on FireEye Appliance
2
SYSLOG - UDP XML
No
XML provides more data than CEF and CSV
3
SYSLOG - TCP JSON
No
TCP does not require command-line configuration on FireEye Appliance
4
SYSLOG - UDP JSON
No
JSON provides more data than CEF and CSV
Most effort to configure
#
Protocol
Enc
Reason
1
HTTPS JSON
Yes
Encrypted, lighter than XML
2
HTTPS XML
Yes
Encrypted
General notes
■■
■■
■■
When sending JSON or XML to EX, use concise alerting
For everything else, use normal alerting
Try the easiest to configure first. Then progress to most effort if necessary.
Warning:
Preference is to use TCP, but if UDP is necessary -- set FireEye UDP syslog to max chunk-size of 4096:
ssh admin@<FireEyeBox>
en
conf t
fenotify rsyslog trap-sink <splunk_connector> chunk-size 4096
Two examples are provided below, First for SYSLOG and Second for HTTPS.
14
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
CEF over SYSLOG (TCP)
The first option we will show is how to configure the FireEye device to send CEF over SYSLOG. We understand that
sending data via HTTPS may not work for everyone.
Complete the following steps to send data to Splunk using CEF over SYSLOG (TCP):
■■
■■
■■
■■
■■
■■
■■
■■
Log into the FireEye appliance with an administrator account
Click Settings
Click Notifications
Click rsyslog
Check the “Event type” check box
Next to the “Add Rsyslog Server” button, type “Splunk_CEF_SYSLOG”.
Then click the “Add Rsyslog Server” button.
Enter the IP address of the Splunk server in the “IP Address” field.
Make sure rsyslog settings are:
■■
■■
■■
■■
Format: XML concise for EX, XML normal for everything else
Delivery: Per event
Send as: Alert
Change the protocol dropdown to TCP (or use the special max chunk-size for UDP to 4096)
Remember to click the “Update” button when finished.
Figure 14: Steps to set up SYSLOG
15
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
JSON over HTTPS
The second option we will show is how to configure the FireEye device to send JSON over HTTPS. HTTPS can be a good
option if you are required or prefer to send data over an encrypted channel.
Complete the following steps to send data to Splunk using extended JSON via HTTPS Post:
■■
■■
■■
■■
■■
■■
■■
■■
■■
■■
Log into the FireEye appliance with an administrator account
Click “Settings”
Click “Notifications”
Click the “http” hyperlink
Under the http hyperlink, make sure the “Event type” check box is selected
HTTP settings should be:
Default delivery: Per event
Default provider: Generic
Default format: JSON concise for EX, JSON normal for everything else
Click the “Apply Settings” button
Next to the “Add HTTP Server” button, type “SplunkHTTPS”.
Then click the “Add HTTP Server” button.
Next to the newly created SplunkHTTPS entry:
Select “Enabled”, “Auth”, and “SSL Enable” check boxes.
Enter the following settings:
■■
■■
■■
Server URL: https://<SplunkAD.DR.ESS>:<PORT>/services/receivers/simple?host=<FireEyeA ddress>&source=fe_
alert&sourcetype=fe_json
Username: fireeye (or username you created in Splunk)
Password: <password you created above in Splunk>
Note: The default port used above is 8089--unless it has been changed.
Ex: https://192.168.33.152:8089/services/receivers/simple?host=192.168.33.131&source=fe_ alert&sourcetype=fe_
json
Remember to click the “Update” button when finished.
16
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Figure 15: Steps to configure the FireEye appliance to send data to Splunk
17
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Optional Indexing
Note: Separate indexing may not work in all environments--such as complex distributed Splunk indexing and searching.
Upon installation, the FireEye App for Splunk Enterprise stores all alert data in Splunk’s default index called “main”.
Depending on the size of the deployment and the amount of data already stored in the main Index, this could cause a
significant performance issue. You have the option to store this data in its own index to improve search performance,
however at the current time this change is unsupported. That said, some clients have reported significant improvements
in search time when using a separate index. One real-world example is shown below along with the required
modification to enable separate indexing:
Customer Results: Year to date search takes 9 minutes 15 seconds to populate the main dashboard from the main
index. After the change to a separate index, it was reduced to 20 seconds.
Steps:
Remember to first create the index:
Settings -> Data -> Indexes -> New -> Index name: fireeye -> Save
Out of the box configuration: eventtypes.conf is:
[fe]
search = sourcetype=fe_* OR sourcetype=hx_*
Modified configuration to support separate “fireeye” index: Change eventtypes.conf to:
[fe]
search = index=fireeye sourcetype=fe_* OR sourcetype=hx_*
Props.conf change: Remove the red hash (#) symbol below
# Uncomment the next line to send FireEye data to a separate index called "fireeye"
#TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_
FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in
Note: If the infex is not going to be called fireeye, then transforms.conf needs to be modified.
Change RESTful string in the FireEye appliance:
https://xx.xx.xx.xx:8089/services/receivers/simple?host=xx.xx.xx. xx&source=fe_alert&index=fireeye&sourcetype=fe_json
(Special thanks to Richard Griffith for the research and solution.)
18
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Integrating FireEye PX
Follow the steps below to integrate FireEye PX with the FireEye App for Splunk Enterprise.
1. Run the setup within the app (Help -> Setup) and select the appliances
2. Add your PX appliance IP addresses in the following file: $SPLUNK_HOME/etc/apps/FireEye_v3/lookups/px_
appliances.csv
Original config:
system
<Configure me>
<Read the config guide>
After you are done (assuming your PX appliance is 192.168.5.100):
system
192.168.5.100
If the setup file is configured with the PX check box checked, a PX Pivoting menu will be available in the drop down. If
the px_appliances.csv file is not configured, then <Configure me> will appear in the PX appliance drop down. If it is
configured, the IP of the appliance will be in the drop down.
Figure 16: Error message displayed when the PX is not configured
19
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Once set up, the dashboard can be used to pivot based on any of the following data (as shown in the screenshot below):
■■
■■
■■
■■
■■
■■
■■
■■
Time
Source IP
Source Port
Destination IP
Destination Port
Source and Destination IP
Source and Destination IP and Destination Port
Source and Destination IP and Source and Destination Port
Figure 17: Fields that can be used to pivot
20
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Integrating FireEye HX
Follow the steps below to integrate FireEye HX with the FireEye App for Splunk Enterprise.
1. Ensure that HX is selected as an option in the FireEye app under Help -> Configure App. (For more details, please see
the section called:
“Configuring the FireEye App for Splunk Enterprise”)
2. Log into FireEye with an Administrator account
3. Navigate to FireEye -> Administration
Figure 18: Administration menu in HX
4. Click the drop down and then Logging
Figure 19: Logging option
5. Enter the Splunk server IP, Port, and Select TCP as the protocol. Then click the Save button.
21
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Figure 20: Entering syslog information
22
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Integrating FireEye Threat Analytics Platform (TAP)
This section will outline how to integrate FireEye TAP into the FireEye App for Splunk Enterprise.
How it works
The diagram below is designed to show one possible use case. It also helps to illustrate data flow options between
Splunk and FireEye products.
Figure 21: One possible use case for TAP / Splunk integration
Requirements
■■
■■
FireEye TAP is setup and receiving proper logs to generate events
Third party Splunk App - Rest API Module Input (Big thanks to: Damien Dallimore)
• https://apps.splunk.com/app/1546/
23
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Configuring the FireEye TAP API
The instructions below will outline how to configure the TAP API.
Create an API key
1. Log into the Threat Analytics Platform
2. Go to User settings by clicking the drop down arrow in the top right hand corner and then selecting “USER SETTINGS”
3. Select Applications and click “ADD NEW API KEY”
Figure 20: Generating an API key for TAP
4. Name the API key. Ex: Splunk API key
5. Save the API key in a secure place -- It will not be displayed again.
Figure 22: API key provided
24
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Discover the TAP Instance ID
The requirements for this step are the following:
1. URL of the TAP instance
2. API key from previous step
Using curl execute the following one-liner to retrieve the TAP Instance ID
Syntax:
curl -H "x-mansfield-key:INSERT_KEY_HERE" https://INSERT_URL_HERE/tap/ api/v1/users/instance
Example:
curl -H "x-mansfield-key:eb5123456789" https://yours.fireeyeapps.com/ tap/api/v1/users/instance
Expected response:
[{"id":"1234-123-123-123-123456789","name":"demo06","active":true}]
Be sure to copy down the TAP instance id that was returned from your query.
Now you have three pieces of vital information:
■■
■■
■■
URL of the TAP instance
API key from previous step
TAP instance ID
25
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Install the Splunk Rest API Module Input
Use the App Manager within Splunk to search for “Rest API Module Input”
Figure 22: Installing Splunk REST API module Input
Or follow the manual installation instructions below:
1. Download the .spl or .tgz file from: https://apps.splunk.com/app/1546/
2. Navigate to “Apps” -> “Manage Apps”.
3. Click on “Install app from file”.
4. Upload the downloaded file using the form provided.
5. Restart if the app requires it: $SPLUNK_HOME/bin/splunk restart splunk
26
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Configure the Splunk Rest API Module Input
1. 1. Add the following custom handlers:
$SPLUNK_HOME/etc/apps/rest_ta/bin/responsehandlers.py
class FireEyeAlertHandler:
def
init
(self,**args): pass
def call (self, response_object,raw_response_output,response_ type,req_
args,endpoint):
if response_type == "json":
output = json.loads(response_object.content) last_display_id = -1
for alert in output["alerts"]: print_xml_
stream(json.dumps(alert)) if "displayId" in alert:
display_id = alert["displayId"] if
display_id > last_display_id:
last_display_id = display_id if not
"params" in req_args:
req_args["params"] = {}
if last_display_id > -1: req_args["params"]["offset"] = last_display_id
else:
print_xml_stream(raw_response_output)
class FireEyeIncidentHandler:
def
init
(self,**args): pass
def call (self, response_object,raw_response_output,response_ type,req_
args,endpoint):
if response_type == "json":
output = json.loads(response_object.content) last_display_id = -1
for incident in output["incidents"]:
27
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
print_xml_stream(json.dumps(incident)) if "displayId" in incident:
display_id = incident["displayId"] if display_id > last_
display_id:
last_display_id = display_id if not "params" in req_
args:
req_args["params"] = {}
if last_display_id > -1: req_args["params"]["offset"] = last_display_id
else:
print_xml_stream(raw_response_output)
2. Within Splunk, go to Settings -> Data -> Data Inputs
3. Next to REST, click on Add new
Figure 23: Configuring the RESTful query options
28
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
4. To set up TAP alerts, fill in the following data fields and click the save button
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
REST API Input Name: TAP-Alerts
Endpoint URL: https://INSERT_URL_HERE/tap/api/v1/alerts
HTTP Method: GET
Authentication Type: None
HTTP Header Properties: x-mansfield-key=INSERT_KEY_HERE,X-FireEye-Tap-Instance=INSERT_TAP_ID_HERE
URL Arguments: offset=0
Response type: json
Response Handler: FireEyeAlertHandler
Polling Interval: 30
Set Sourcetype: “Manual”
Select source type from list: fe_tap_json
5. To set up TAP incidents, fill in the following data fields and click the save button
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
REST API Input Name: TAP-Incidents
Endpoint URL: https://INSERT_URL_HERE/tap/api/v1/incidents
HTTP Method: GET
Authentication Type: None
HTTP Header Properties: x-mansfield-key=INSERT_KEY_HERE,X-FireEye-Tap-Instance=INSERT_TAP_ID_HERE
URL Arguments: offset=0
Response type: json
Response Handler: FireEyeIncidentHandler
Polling Interval: 30
Set Sourcetype: “Manual”
Select source type from list: fe_tap_json
6. Upon saving, Splunk should attempt a query, thus if there are TAP events, they will show up in the FireEye App for
Splunk Enterprise under Visualization -> Tap Visualization and Analysis -> Tap Analysis
Figure 24: TAP visualization
29
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
Troubleshooting
There are many methods that can be used to troubleshoot connection issues.
Using Curl
Using any Linux host, or Cygwin on Windows perform the following:
Step 1) echo test > test.xml
Step 2) curl -k -g --user <username>:<password> --data-binary @test.xml
Example:
curl -k -g --user fireeye:1qaz@WSX --data-binary @oneline.txt “https://192.168.33.152:8089/services/receivers/
simple?host=1 92.168.33.153&source=fe_alert&sourcetype=fe_xml”
Result:
You should see something similar to the following response from Splunk after issuing the command above:
<?xml version=”1.0” encoding=”UTF-8”?>
<response>
<results>
<result>
<field k=”_index”>
<value>
<text>default</text>
</value>
</field>
<field k=”bytes”>
<value>
<text>4</text>
</value>
</field>
<field k=”host”>
<value>
<text>Source IP Address here</text>
</value>
</field>
<field k=”source”>
<value>
30
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
<text>fe_alert</text>
</value>
</field>
<field k=”sourcetype”>
<value>
<text>fe_xml</text>
</value>
</field>
</result>
</results>
</response>
Splunk Search
After the data is successfully sent to Splunk, you should be able to search for it using the following search term:
source=fe_alert
You should see “test” as the message body because it was in the body of test.xml
31
FireEye APP for Splunk
Enterprise 6.X
Configuration Guide Version 1.3
About the Author
Tony Lee has more than ten years of professional experience pursuing his passion in all areas of information
security. He is currently a Technical Director at Mandiant, a FireEye Company, advancing many of the network
penetration testing service lines. His interests of late are kiosk hacking, post exploitation tactics, and malware
research. As an avid educator, Tony has instructed thousands of students at many venues worldwide, including
government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to
share knowledge as a contributing author to Hacking Exposed 7, frequent blogger, and a lead instructor for a
series of classes. He holds a Bachelor of Science degree in computer engineering from Virginia Polytechnic
Institute and State University and a Master of Science degree in security informatics from The Johns Hopkins University.
Email: Tony.Lee -at-FireEye.com
Linked-in: http://www.linkedin.com/in/tonyleevt
Special Thanks
Dennis Hanzlik
Dan Dumond
Ian Ahl
Dave Pany
Karen Kukoda
Leianne Lamb
Brian Stoner
Gunpreet Singh
Kate Scott
About FireEye, Inc.
FireEye protects the most valuable assets in the world from those who have them in their sights. Our combination of technology,
intelligence, and expertise — reinforced with the most aggressive incident response team — helps eliminate the impact of security
breaches. We find and stop attackers at every stage of an incursion. With FireEye, you’ll detect attacks as they happen. You’ll
understand the risk these attacks pose to your most valued assets. And you’ll have the resources to quickly respond and resolve
security incidents. FireEye has over 3,100 customers across 67 countries, including over 200 of the Fortune 500.
32
To learn more about
how FireEye can help you focus
on the alerts that matter,
visit: www.fireeye.com
FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com
© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark of
FireEye, Inc. All other brands, products, or service names are or may be trademarks
or service marks of their respective owners. ???????????
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising