IntroductionSplunk development has been a hobby of mine for a while now and the FireEye/Splunk app has been my outlet (when I get a fee night or weekend). I enjoy it because it is fun to see what you can create and even more fun to see how many people use the app and how they use it. The latest feature of the FireEye app will hopefully get a lot of use because the potential is unlimited.
I have helped SOC personnel investigate incidents and found it a bit cumbersome to search for and launch different tools--especially in a segment of the network that has no Internet access. Therefore, what I would like to do in the next couple of app releases is bring the tools to the analysts. This effort really started with the last release by introducing Virus Total lookups directly from the app (both hash and IP/URL). This time we are introducing two new tools: a base64 converter and a URL decoder. This could help investigators potentially decode C2 traffic, exploits, and attack URLs all without leaving the app.
After installing version 3.0.7 of the app, you may need to clear the local files--such as:
This local copy of the file may prevent you from seeing the new Toolbox menu that appears in the screenshots below.
As mentioned before, this feature was introduced in the last update, but if you have not seen the output, it is worth taking a look. This tool requires Internet access, but we supply an API key for your convenience.
This tool allows responders to encode and decode Base64 data by changing the operation. This tool does not require Internet access.
This last tool in the toolbox enables users to decode obfuscated URLs. This tool does not require Internet access.
Hopefully you will find these tools useful. Additionally, feel free to provide feedback on any tools you would like to see added to the Toolbox.