FireEye Email Threat Prevention (ETP) + Splunk

Every organization wants that single pane of glass that provides complete visibility using one set of credentials; however, achieving this can be a challenge even when all of the appliances are on premise. Now consider the difficulty when some of the security services are hosted in the cloud. Fortunately, it is only challenging and not impossible – the latest release of the FireEye App for Splunk Enterprise now supports ingestion of FireEye’s cloud-based Email Threat Prevention (ETP) event notification.

Setup

There are many approaches depending on architecture, and the following (Figure 1) is just one possibility:

  1. Setup a forwarder in the DMZ and whitelist the ETP Cloud IP destined to TCP port 6514
  2. Generate the required SSL certificates for Splunk (Figure 2)
  3. Configure the listener via inputs.conf (Figure 3)
  4. Contact ETP customer support to forward alert notifications

Figure 1: A FireEye ETP and Splunk setup

mkdir /opt/splunk/etc/certs
export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf
/opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs

/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p

Figure 2: Generating SSL certificates

[tcp-ssl://6514]
Sourcetype = fe_etp

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCERT = $SPLUNK_HOME/etc/certs/splunk.pem
password = <The password that was used in the genSignedServerCert>

Figure 3: Create the listener using inputs.conf

Results

This effort provides a single pane of glass by consuming data from on premise and cloud based protection. Alert notifications appear in the main analytics screen, as shown in Figure 4.

Figure 4:  Analytics heads up display with ETP

Additional information can be gleaned from the ETP analytics screen, as shown in Figure 5.

Figure 5:  ETP Analytics screen

More detailed information is displayed in the ETP analysis screen shown in Figure 6.

Figure 6:  ETP Analysis Screen

Lastly, similar to other FireEye appliance data, we enable responders to pivot from the UrlHash field shown in Figure 6 to obtain a second opinion using a third party reputation databases. This quick pivoting helps shorten the time required to confirm maliciousness and complete an investigation.

Conclusion

FireEye continues to innovate and integrate with partner solutions to bring convenience to our customers. We hope you enjoy our latest efforts and gain additional insight from the dashboards. Feel free to send feedback within the Splunk app by using Help à Send Feedback. We leave you with these helpful links: