Every organization wants that single pane of glass that provides complete visibility using one set of credentials; however, achieving this can be a challenge even when all of the appliances are on premise. Now consider the difficulty when some of the security services are hosted in the cloud. Fortunately, it is only challenging and not impossible – the latest release of the FireEye App for Splunk Enterprise now supports ingestion of FireEye’s cloud-based Email Threat Prevention (ETP) event notification.
There are many approaches depending on architecture, and the following (Figure 1) is just one possibility:
- Setup a forwarder in the DMZ and whitelist the ETP Cloud IP destined to TCP port 6514
- Generate the required SSL certificates for Splunk (Figure 2)
- Configure the listener via inputs.conf (Figure 3)
- Contact ETP customer support to forward alert notifications
Figure 1: A FireEye ETP and Splunk setup
/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p
Figure 2: Generating SSL certificates
Figure 3: Create the listener using inputs.conf
This effort provides a single pane of glass by consuming data from on premise and cloud based protection. Alert notifications appear in the main analytics screen, as shown in Figure 4.
Figure 4: Analytics heads up display with ETP
Additional information can be gleaned from the ETP analytics screen, as shown in Figure 5.
Figure 5: ETP Analytics screen
More detailed information is displayed in the ETP analysis screen shown in Figure 6.
Figure 6: ETP Analysis Screen
Lastly, similar to other FireEye appliance data, we enable responders to pivot from the UrlHash field shown in Figure 6 to obtain a second opinion using a third party reputation databases. This quick pivoting helps shorten the time required to confirm maliciousness and complete an investigation.
FireEye continues to innovate and integrate with partner solutions to bring convenience to our customers. We hope you enjoy our latest efforts and gain additional insight from the dashboards. Feel free to send feedback within the Splunk app by using Help à Send Feedback. We leave you with these helpful links: