Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
FireEye NX Alerts | ✅ | fireeye_nx_alerts | NDJSON | S3 | |||
FireEye EX Alerts | ✅ | ✅ | fireeye_ex_alerts | NDJSON | S3 |
Overview
FireEye, now Trellix, specializes in advanced threat intelligence, detection, and response solutions. It offers a range of cybersecurity products and services to help organizations protect against sophisticated cyber threats, detect breaches, and respond effectively to security incidents.
Supported data types
FireEye NX Alerts
Table name: fireeye_nx_alerts
FireEye NX alerts are generated by the FireEye NX platform, a network security solution that identifies and blocks advanced threats, malware, and zero-day attacks. These alerts provide detailed information about detected threats, including the severity of the threat, affected systems, and suggested remediation steps. They are crucial for cybersecurity teams to quickly respond to potential security incidents and protect the network from compromise.
TreFireEye EX Alerts
Table name: fireeye_ex_alerts
FireEye EX Alerts are notifications generated by the FireEye Email Security (EX) platform, designed to identify and stop email-based threats. These alerts provide organizations with information about potential security incidents related to phishing, malware attachments, and other malicious email activities. They are vital for timely response and remediation efforts to protect against email threats and breaches.
Send data to Hunters
Hunters supports the integration of FireEye logs using an intermediary S3 bucket.
To send data to Hunters:
Contact FireEye support to learn how to route your FireEye logs to S3.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
In each log file, the events should be separated by a new line, where each event has a ND-JSON format.
{"msg":"normal","version":"9.0.3.936727","product":"CMS","alert":{"name":"ips-event","uuid":"abcdefgh-ijkl-1234-5678-123412341234","occurred":"2020-02-01T12:12:11Z","class":"IPS","action":"notified","dst":{"ip":"10.1.1.28","port":80,"mac":"00:aa:bb:cc:dd:ee"},"id":11111,"severity":"crit","ack":"no","version":"9.0.2.929543","product":"Web MPS","explanation":{"ips-detected":{"match-count":1,"cve-id":"CVE-2015-1234","sig-revision":"11","action-taken":"N/A","attack-mode":"server","sig-name":"SQL Injection","sig-id":"12341234","mvx-status":"N/A"}},"appliance-id":"00:11:22:33:44:55","sensor":"sensor.sensor.com","alert-url":"https://myserver.com/notification_url/ips_events?ev_id=11111","src":{"ip":"10.1.1.29","port":12345,"mac":"00:11:bb:33:dd:55"},"vlan":"90","interface":{"interface":"pepe","mode":"tap","label":"lbl"}},"appliance":"myserver.servers.example","appliance-id":"00:88:88:22:11:33"}