FireEye Dashboards Replicated In Splunk

After installing the FireEye app for Spunk and having some issues with it, the app was uninstalled, which left a gap that needed to be filled. So off I went into Splunk land to see if I could scrounge together some decent “dashboard” worthy search queries that could help display important information. Below are a collection of the search queries I have built thus far. It is, be no means, an exhaustive list because anyone who knows Splunk easily knows that there are soooo many more ways to show information – So feel free to use what I have as a base and start playing with the queries and find what works for you. And hopefully you will learn a bit of Splunk in the process, like I did…

FireEye - Detected Malware Signature Types

Splunk Search Syntax For Above Graph:

index="*your-index-here*" sourcetype="*your-sourcetype-here*" 
 | chart count by signature
FireEye - Malware Event Detection Severity by Signature Types

Splunk Search Syntax For Above Graph:

index="*your-index-here*" sourcetype="*your-sourcetype-here*" 
 | chart count by severity, signature
FireEye - Web-MPS Detected - Top Malware Target Destinations

Splunk Search Syntax For Above Graph:

index="*your-index-here*" sourcetype="*your-sourcetype-here*" vendor_product="Web MPS" 
 | eval Source=if(isnotnull(src),src,src_ip)
 | eval ENDGAME=if(isnotnull(Host),Host,uri) 
 | eval ENDGAME=coalesce(ENDGAME,dest_ip)
 | top limit=10 ENDGAME
 | rename ENDGAME as "Calculated Dest"
FireEye - Email-MPS Detected - Top Inbound Email Senders

Splunk Search Syntax For Above Graph:

index="*your-index-here*" sourcetype="*your-sourcetype-here*"  
 | top alerts.alert.src.smtp-mail-from
FireEye - Email-MPS Detected - Top Inbound Email Sender Domains

Splunk Search Syntax For Above Graph:

index="*your-index-here*" sourcetype="*your-sourcetype-here*"  
 | top alerts.alert.src.domain

 

Operational dashboards

 

Web MPS

index=”malware_na” sourcetype=”fe_xml” vendor_product=”Web MPS” | rex “(?i)\\|.*?\\|(?P<category>[a-z]+\\-[a-z]+)(?=\\|)” | rex “(?i)\\-at>(?P<Time>[^<]+)” | eval URLMD5=case (category==”malware-object”,md5sum, category==”web-infection”,uri, category==”infection-match”,uri, category==”malware-callback”,uri, category==”domain-match”,url) | eval FileType=if(isnotnull(filename),filename,”URL”) | eval “Source”=if(isnotnull(src),src,src_ip)|eval “ENDGAME”=if(isnotnull(Host),Host,url) | eval ENDGAME=coalesce(ENDGAME,dest_ip)| table alert_id,category,signature_type,signature,FileType,severity,Time,_time,Source,dest,ENDGAME,URLMD5, | sort -_time | rename alert_id as “Event.ID”,category as “Malware.Type…”,signature_type as “Detection.Method”,FileType as “Calculated.File.Name/Type”,signature as “Signature.Name”,severity as “Severity”,Time as “Time.Of.Event.Detection”,Source as “Calculated.Source.Host/IP”,dest as “Target.IP”,ENDGAME as “Calculated.Dest.Host/URL/IP”, URLMD5 as “Calculated.URL/File Path/Md5sum”

 

Email MPS

index=”malware_na” sourcetype=”fe_xml” vendor_product=”Email MPS” | rex “(?i)\\|.*?\\|(?P<category>[a-z]+\\-[a-z]+)(?=\\|)” | rex “(?i)\\-at>(?P<Time>[^<]+)” | eval URLMD5=case (category==”malware-object”,md5sum, category==”web-infection”,uri, category==”infection-match”,uri, category==”malware-callback”,uri, category==”domain-match”,url) | eval FileType=if(isnotnull(filename),filename,”URL”) | table alert_id,category,signature_type,signature,FileType,severity,Time,src,message_subject,URLMD5 | sort Time desc | rename alert_id as “Event.ID”,category as “Malware.Type…”,signature_type as “Detection.Method”,signature as “Signature.Name”,FileType as “Calculated.File.Name/Type”,Time as “Time.Of.Event.Detection”,severity as “Severity”,src as “Source (Email Sender)”,message_subject as “Email.Subject”,URLMD5 as “Calculated.URL/File Path/Md5sum”

 

FireEye Metrics for Splunk